关于限制对web页面的访问的问题

zhanggok 2004-01-16 10:59:19
package coreservlets;

import java.io.*;
import javax.servlet.*;
import javax.servlet.http.*;
import java.util.Properties;
import sun.misc.BASE64Decoder;

/** Example of password-protected pages handled directly
* by servlets.
* <P>
* Taken from Core Servlets and JavaServer Pages
* from Prentice Hall and Sun Microsystems Press,
* http://www.coreservlets.com/.
* © 2000 Marty Hall; may be freely used or adapted.
*/

public class ProtectedPage extends HttpServlet {
private Properties passwords;
private String passwordFile;

/** Read the password file from the location specified
* by the passwordFile initialization parameter.
*/

public void init(ServletConfig config)
throws ServletException {
super.init(config);
try {
passwordFile = config.getInitParameter("passwordFile");
passwords = new Properties();
passwords.load(new FileInputStream(passwordFile));
} catch(IOException ioe) {}
}

public void doGet(HttpServletRequest request,
HttpServletResponse response)
throws ServletException, IOException {
response.setContentType("text/html");
PrintWriter out = response.getWriter();
String authorization = request.getHeader("Authorization");
if (authorization == null) {
askForPassword(response);
} else {
String userInfo = authorization.substring(6).trim();

BASE64Decoder decoder = new BASE64Decoder();
String nameAndPassword =
new String(decoder.decodeBuffer(userInfo));
int index = nameAndPassword.indexOf(":");
String user = nameAndPassword.substring(0, index);
String password = nameAndPassword.substring(index+1);
String realPassword = passwords.getProperty(user);
if ((realPassword != null) &&
(realPassword.equals(password))) {
String title = "Welcome to the Protected Page";
out.println(ServletUtilities.headWithTitle(title) +
"<BODY BGCOLOR=\"#FDF5E6\">\n" +
"<H1 ALIGN=CENTER>" + title + "</H1>\n" +
"Congratulations. You have accessed a\n" +userInfo+nameAndPassword.toString()+
"highly proprietary company document.\n" +
"Shred or eat all hardcopies before\n" +
"going to bed tonight.\n" +
"</BODY></HTML>");
} else {
askForPassword(response);
}
}
}

// If no Authorization header was supplied in the request.

private void askForPassword(HttpServletResponse response) {
response.setStatus(response.SC_UNAUTHORIZED); // Ie 401
response.setHeader("WWW-Authenticate",
"BASIC realm=\"privileged-few\"");
}

/** Handle GET and POST identically. */

public void doPost(HttpServletRequest request,
HttpServletResponse response)
throws ServletException, IOException {
doGet(request, response);
}
}

下面是passwords.properties的内容
#Passwords
#Thu Jan 15 14:42:50 CST 2004
bb=bbb
nathan=nathanpw
marty=martypw
lindsay=lindsaypw
下面是web.xml的内容
<servlet>
<servlet-name>
ProtectedPage
</servlet-name>

<servlet-class>
coreservlets.ProtectedPage
</servlet-class>

<init-param>
<param-name>
passwordFile
</param-name>
<param-value>
D:\Apache Tomcat 4.0\webapps\myapp\WEB-INF\classes\passwords.properties
</param-value>
</init-param>

</servlet>
当访问上面的servlet时会弹出一个登陆对话框要求输入用户名和密码.书中说是当访问上面的servle检查是否存在Authorization头如果存在则跳过"basic"对剩余的base64进行解码后生成username:password的字符串.我把字符串显示出来后发现YmI6Ym是未解码前的,bb:bbb是解码后的bb:bbb正好是passwords.properties文件中的内容,这时我就不明白Authorization头是如何和passwords.properties文件相关联的在初始化中只是读取passwords.properties文件,并且输入nathan和nathanpw也可以这就证明Authorization头遍历了passwords.properties这让我更不能理解.response.setStatus(response.SC_UNAUTHORIZED)是不是如果输入错误应弹出一个对话框,但并没有弹出是不是因为浏览器的不同或版本的原因书中用的是netscape .请高手指典.




...全文
105 1 打赏 收藏 转发到动态 举报
写回复
用AI写文章
1 条回复
切换为时间正序
请发表友善的回复…
发表回复
zdnetchina 2004-01-16
  • 打赏
  • 举报
回复
up!

81,090

社区成员

发帖
与我相关
我的任务
社区描述
Java Web 开发
社区管理员
  • Web 开发社区
加入社区
  • 近7日
  • 近30日
  • 至今
社区公告
暂无公告

试试用AI创作助手写篇文章吧