Java 如何强制用户插入用户名&;执行操作时的密码";“后退”;然后";“前进”;在浏览器中?
考虑以下事件(银行登录): 这里发生的是:Java 如何强制用户插入用户名&;执行操作时的密码";“后退”;然后";“前进”;在浏览器中?,java,security,jsp,session,web-applications,Java,Security,Jsp,Session,Web Applications,考虑以下事件(银行登录): 这里发生的是: - user logs in - reaches a new page - hits back - hits forward - reaches the same page 当用户试图向前点击并访问他来自的旧页面时,我如何让用户点击他的用户名和密码 是否可以完全禁用后退/前进选项 下面是一些代码: 登录JSP: <!-- Bank Application in JAVA --> <!-- Updates : the DB
- user logs in
- reaches a new page
- hits back
- hits forward
- reaches the same page
<!-- Bank Application in JAVA -->
<!-- Updates : the DB now is using Hibernate for the SQL queries -->
<!-- 2014 version updates -->
<%@ page language="java"
contentType="text/html; charset=windows-1256"
pageEncoding="windows-1256"
%>
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html>
<head><title>Bank application</title>
<link rel="stylesheet"
href="./css/styles.css"
type="text/css"/>
</head>
<body>
<table class="title">
<tr><th>Web Bank application</th></tr>
</table>
<br/>
<!-- JS Code to make sure that the user MUST enter something in the login page -->
<script>
function verifyEmptyString()
{
var username = document.forms["loginForm"]["username"].value;
var password = document.forms["loginForm"]["password"].value;
if (username == null || username == '' || password == null || password == '')
{
alert("Both Username and Password are required !");
return false;
}
return true;
}
</script>
<fieldset>
<legend>Login Page - please enter your Username and Password</legend>
<form onsubmit="return verifyEmptyString(this)" id="loginForm" action="loginPage" method="post" >
<!-- note we use here a paragraph & font size -->
<!-- Notice we use a Required field !!! -->
<p style="font-size:15px"> <span style="color:red;font-weight:bold;">*</span> Username: <input type="text" name="username"><br> </p>
<p style="font-size:15px"><span style="color:red;font-weight:bold;">*</span> Password : <input type="password" name="password"><br> </p>
<input type="submit" value="Login">
</form>
</fieldset>
<br/>
<br/>
<br/>
<br/>
<br/><br/><br/><br/><br/><br/>
</body></html>
定义页面的流程,如果用户不遵循流程,则销毁会话。您可以在每个导航或表单提交发布到下一页的位置执行此操作 e、 g
由于每个导航操作都是一个帖子,浏览器将要求用户在历史导航时重新提交其数据(例如“后退”按钮)。如果您收到一个已使用的
令牌
值,您将知道用户没有遵循您的预设流程,您可以要求他们再次登录。当您点击“后退”按钮时是否关闭会话?。页面通常显示“是否确实要注销?。您的会话将过期”之类的消息。这实际上是一个很难解决的问题。请应用全局无缓存,并且必须对http请求重新验证筛选器,并创建页面流。如果用户在无人参与的情况下执行某些操作,请保留相关数据,使会话无效并关闭会话。这应该是可行的,因为它在jsf中做得很好。在我的回答中需要进一步的信息吗?@SilverlightFox:不,我很好。谢谢(被选中)。
package controller;
import java.io.IOException;
import java.sql.SQLException;
import javax.servlet.RequestDispatcher;
import javax.servlet.ServletException;
import javax.servlet.annotation.WebServlet;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import model.Person;
import db.Database;
/**
* When the user runs for the first time the bank application , he must first enter username & password
* and make a proper login into the system .
* @author Administrator
*
*/
@WebServlet("/loginPage") // this is the name of the servlet
public class LoginPage extends HttpServlet {
private static final String EMPLOYEE = "Employee";
private static final String CLIENT = "Client";
private static final String MANAGER = "Manager";
private static final String ADMIN = "Administrator";
private static final long serialVersionUID = 1L;
protected void doPost(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException
{
HttpSession session = request.getSession();
synchronized(session)
{
String atrib = (String) session.getAttribute("loginFlag");
// create a new connection to mysql database , with this we put the new client in the database
Database myDabatase = null;
Person personDb = null;
try
{
myDabatase = new Database(); // creating a database
}
catch (ClassNotFoundException e) {e.printStackTrace();}
// create a new database
if (atrib == null) // then this is the first run of the program
{
myDabatase.deleteDatabase(); // delete previous database
}
myDabatase.createDatabaseAndTables(); // create the tables of the database
////////////// Adding people with permissions into the bank database
/**
* if atrib == null , this means that this is the first time
* that we run the current session .
*
* if atrib != null , then this is NOT the first time that this session
* is is reaching the current servlet
*/
if (atrib == null)
{
// add employees and clients of the bank
returnValue = myDabatase.
addNewPerson("Johnny", "Cordel" , "South-Africa" , "22421" , "cole" , "cole" , CLIENT);
returnValue = myDabatase.
addNewPerson("Jason", "Bourne" , "Australia" , "32323" , "jason" , "jason" , EMPLOYEE);
// add a manager
returnValue = myDabatase.
addNewPerson("Jacky", "Chan" , "Japan" , "29489324" , "jake" , "jake" , MANAGER);
if (returnValue == false)
throw new ServletException(); // if we got here - the person wasn't added
// add an initial account to the bank
// _accountNumber , _currentState , _holderIdnumber
myDabatase.openNewAccount("0123",120, "87534");
myDabatase.openNewAccount("0123",120, "12345");
myDabatase.openNewAccount("001234",-210, "22421");
myDabatase.openNewAccount("00212",-4343, "32323");
}
// get the username that the user entered into the text box
String username = request.getParameter("username");
// get the password entered into the text box
String password = request.getParameter("password");
try
{
// check if the client that entered the login details of Username & Password
// exists in the database
// find the user with the given "password" & "username"
personDb = myDabatase.verifyRegisteredPerson(username, password);
}
catch (SQLException e1)
{
e1.printStackTrace();
}
// making sure to use the person the next time we reach the same page
session.setAttribute("name", personDb);
// then the person exists in the db , forwarding to the right place - first check if the person is a client
// according to the credentials of the person , 4 options goes here :
// manager , client , admin , or - employee
if (personDb != null)
{
session.setAttribute("loginFlag", "turndOn");
///////////// client
if (personDb.getStatus().equals(CLIENT) == true)
{
String addressPath = "/WEB-INF/results/client/clientPage.jsp";
RequestDispatcher dispatcher = request.getRequestDispatcher(addressPath);
dispatcher.forward(request, response);
}
///////////// manager
// person is a manager - redirecting to the Manager's page
else if (personDb.getStatus().equals(MANAGER) == true)
{
session.setAttribute("managerLogin", "turnOn");
String addressPath = "/WEB-INF/results/manager/managerPage.jsp";
RequestDispatcher dispatcher = request.getRequestDispatcher(addressPath);
dispatcher.forward(request, response);
}
//////////////////// administrator
// person is the administrator of the bank - forwarding to the admin's page
else if (personDb.getStatus().equals(ADMIN) == true)
{
String addressPath = "/WEB-INF/results/admin/adminPage.jsp";
RequestDispatcher dispatcher = request.getRequestDispatcher(addressPath);
dispatcher.forward(request, response);
}
////////////////// employee
// person is an employee - forwarding to the employee's page
else if (personDb.getStatus().equals(EMPLOYEE) == true)
{
String addressPath = "/WEB-INF/results/employee/employeePage.jsp";
RequestDispatcher dispatcher = request.getRequestDispatcher(addressPath);
dispatcher.forward(request, response);
}
}
////////////// the user how entered the password & username doesn't exist
else if (personDb == null) // then the client doesn't exist , and isn't registered
{
String addressPath = "/WEB-INF/results/login-failed.jsp";
RequestDispatcher dispatcher = request.getRequestDispatcher(addressPath);
dispatcher.forward(request, response);
}
} // end session
// closing database
} // end method get
}
<form method="https://www.example.com/requestHandler">
<input type="action" value="navigateToLoginForm" />
<input type="token" value="qwerty1234" />
</form>