WEB安全实战(七)会话标识未更新
序
问题
曲折过程
最终方案
<span style="font-family:Comic Sans MS;">package com.test.web.common; import java.io.IOException; import java.util.Enumeration; import java.util.HashMap; import java.util.Iterator; import java.util.Map; import java.util.Map.Entry; import javax.servlet.Filter; import javax.servlet.FilterChain; import javax.servlet.FilterConfig; import javax.servlet.ServletException; import javax.servlet.ServletRequest; import javax.servlet.ServletResponse; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpSession; import org.apache.shiro.SecurityUtils; import org.slf4j.Logger; import org.slf4j.LoggerFactory; public class NewSessionFilter implements Filter { private String url; private static final Logger logger = LoggerFactory.getLogger(NewSessionFilter.class); public static final String NEW_SESSION_INDICATOR = "com.cacss.sc.web.common.NewSessionFilter"; public static void newSession(){ HttpSession session = (HttpSession) SecurityUtils.getSubject().getSession(true); session.setAttribute(NEW_SESSION_INDICATOR, true); } @Override public void destroy() { System.out.println("NewSessionFilter destory"); } @Override public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { System.out.println("NewSessionFilter doFilter"); if (request instanceof HttpServletRequest) { HttpServletRequest httpRequest = (HttpServletRequest) request; //取的url相对地址 String url = httpRequest.getRequestURI(); System.out.println(url); if (httpRequest.getSession() != null) { System.out.println("NewSessionFilter doFilter httpRequest.getSession().getId()"+ httpRequest.getSession().getId()); //--------复制 session到临时变量 HttpSession session = httpRequest.getSession(); HashMap old = new HashMap(); Enumeration keys = (Enumeration) session.getAttributeNames(); while (keys.hasMoreElements()){ String key = (String) keys.nextElement(); if (!NEW_SESSION_INDICATOR.equals(key)){ old.put(key, session.getAttribute(key)); session.removeAttribute(key); } } if (httpRequest.getMethod().equals("POST") && httpRequest.getSession() != null && !httpRequest.getSession().isNew() && httpRequest.getRequestURI().endsWith(url)){ session.invalidate(); session=httpRequest.getSession(true); logger.debug("new Session:" + session.getId()); } //-----------------复制session for (Iterator it = old.entrySet().iterator(); it.hasNext();) { Map.Entry entry = (Entry) it.next(); session.setAttribute((String) entry.getKey(), entry.getValue()); } } } chain.doFilter(request, response); System.out.println("NewSessionFilter doFilter end"); } @Override public void init(FilterConfig filterConfig) throws ServletException { System.out.println("NewSessionFilter init"); System.out.println("NewSessionFilter init end"); } }</span>
然后,在 web.xml 中配置 Filter。
<span style="font-family:Comic Sans MS;"><filter> <filter-name>NewSessionFilter</filter-name> <filter-class>com.cacss.sc.web.common.NewSessionFilter</filter-class> </filter> <filter-mapping> <filter-name>NewSessionFilter</filter-name> <url-pattern>/login</url-pattern> </filter-mapping> </span>
结束语
郑重声明:本站内容如果来自互联网及其他传播媒体,其版权均属原媒体及文章作者所有。转载目的在于传递更多信息及用于网络分享,并不代表本站赞同其观点和对其真实性负责,也不构成任何其他建议。