禁用JavaWeb应用中URL上包含的jsessionid (转载)Java Web 应用似乎总有这样的情况,有事没事总是要在 URL
禁用JavaWeb应用中URL上包含的jsessionid (转载)
Java Web 应用似乎总有这样的情况,有事没事总是要在 URL 后面加上个 jsessionid,而且似乎不能使用配置的方式直接禁用 URL 传递 sessionid,这样,就比较容易造成安全性的问题,或者在浏览器地址栏里留下一堆很不好看的地址,在 Struts2 中,使用了 url 标签的所有链接,甚至 CSS, JS 这样的东西,都会加上 jsessionid,如何去禁用呢,搜索国内的相关文章,无功而返,询问我们过去的架构师,也没有做过,只好想办法去找国外的网站,找到了这样的一篇文章。
http://randomcoder.com/articles/jsessionid-considered-harmful
通过加入 Filter 的方式过滤掉 URL 中包含的 jsessionid,再重新包装 Response 返回给浏览器。
因为没有太多东西,就不多解释了,大家拿了用就可以了。
import?javax.servlet.*;
import?javax.servlet.http.HttpServletRequest;
import?javax.servlet.http.HttpServletResponse;
import?javax.servlet.http.HttpServletResponseWrapper;
import?javax.servlet.http.HttpSession;
import?java.io.IOException;
/**
?*?Servlet?filter?which?disables?URL-encoded?session?identifiers.
?*?<p/>
?*?<pre>
?*?Copyright?(c)?2006,?Craig?Condit.?All?rights?reserved.
?*?<p/>
?*?Redistribution?and?use?in?source?and?binary?forms,?with?or?without
?*?modification,?are?permitted?provided?that?the?following?conditions?are?met:
?*?<p/>
?*???*?Redistributions?of?source?code?must?retain?the?above?copyright?notice,
?*?????this?list?of?conditions?and?the?following?disclaimer.
?*???*?Redistributions?in?binary?form?must?reproduce?the?above?copyright?notice,
?*?????this?list?of?conditions?and?the?following?disclaimer?in?the?documentation
?*?????and/or?other?materials?provided?with?the?distribution.
?*?<p/>
?*?THIS?SOFTWARE?IS?PROVIDED?BY?THE?COPYRIGHT?HOLDERS?AND?CONTRIBUTORS?"AS?IS"
?*?AND?ANY?EXPRESS?OR?IMPLIED?WARRANTIES,?INCLUDING,?BUT?NOT?LIMITED?TO,?THE
?*?IMPLIED?WARRANTIES?OF?MERCHANTABILITY?AND?FITNESS?FOR?A?PARTICULAR?PURPOSE
?*?ARE?DISCLAIMED.?IN?NO?EVENT?SHALL?THE?COPYRIGHT?OWNER?OR?CONTRIBUTORS?BE
?*?LIABLE?FOR?ANY?DIRECT,?INDIRECT,?INCIDENTAL,?SPECIAL,?EXEMPLARY,?OR
?*?CONSEQUENTIAL?DAMAGES?(INCLUDING,?BUT?NOT?LIMITED?TO,?PROCUREMENT?OF
?*?SUBSTITUTE?GOODS?OR?SERVICES;?LOSS?OF?USE,?DATA,?OR?PROFITS;?OR?BUSINESS
?*?INTERRUPTION)?HOWEVER?CAUSED?AND?ON?ANY?THEORY?OF?LIABILITY,?WHETHER?IN
?*?CONTRACT,?STRICT?LIABILITY,?OR?TORT?(INCLUDING?NEGLIGENCE?OR?OTHERWISE)
?*?ARISING?IN?ANY?WAY?OUT?OF?THE?USE?OF?THIS?SOFTWARE,?EVEN?IF?ADVISED?OF?THE
?*?POSSIBILITY?OF?SUCH?DAMAGE.
?*?</pre>
?*/
@SuppressWarnings("deprecation")
public?class?DisableUrlSessionFilter?implements?Filter?{
????/**
?????*?Filters?requests?to?disable?URL-based?session?identifiers.
?????*/
????public?void?doFilter(ServletRequest?request,?ServletResponse?response,?FilterChain?chain)?throws?IOException,?ServletException?{
????????//?skip?non-http?requests
????????if?(!(request?instanceof?HttpServletRequest))?{
????????????chain.doFilter(request,?response);
????????????return;
????????}
????????HttpServletRequest?httpRequest?=?(HttpServletRequest)?request;
????????HttpServletResponse?httpResponse?=?(HttpServletResponse)?response;
????????//?clear?session?if?session?id?in?URL
????????if?(httpRequest.isRequestedSessionIdFromURL())?{
????????????HttpSession?session?=?httpRequest.getSession();
????????????if?(session?!=?null)?session.invalidate();
????????}
????????//?wrap?response?to?remove?URL?encoding
????????HttpServletResponseWrapper?wrappedResponse?=?new?HttpServletResponseWrapper(httpResponse)?{
????????????@Override
????????????public?String?encodeRedirectUrl(String?url)?{
????????????????return?url;
????????????}
????????????@Override
????????????public?String?encodeRedirectURL(String?url)?{
????????????????return?url;
????????????}
????????????@Override
????????????public?String?encodeUrl(String?url)?{
????????????????return?url;
????????????}
????????????@Override
????????????public?String?encodeURL(String?url)?{
????????????????return?url;
????????????}
????????};
????????//?process?next?request?in?chain
????????chain.doFilter(request,?wrappedResponse);
????}
????/**
?????*?Unused.
?????*/
????public?void?init(FilterConfig?config)?throws?ServletException?{
????}
????/**
?????*?Unused.
?????*/
????public?void?destroy()?{
????}
