我必须在我们的网站上发布结果,该结果将在特定时间发布。因此,我编写了一个Spring拦截器,该拦截器不允许请求在指定时间之前通过。我还维护了成功满足结果的日志。
一切对我来说都很好,除了在时间之前记录了一些请求。这意味着有人设法绕过了拦截器,并且可以在时间之前看到结果。
有人可以告诉我,入侵者如何在时间之前看到结果?我在我的应用程序中使用Spring MVC和Spring JDBC。
拦截器–
import java.util.Calendar;
import java.util.Date;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.springframework.stereotype.Component;
import org.springframework.web.servlet.handler.HandlerInterceptorAdapter;
public class ResultTimeCheckerInterceptor extends HandlerInterceptorAdapter {
private Date resultPublishTime;
@Override
public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) throws Exception {
Calendar cal = Calendar.getInstance();
long currentTime = cal.getTimeInMillis();
if (currentTime < resultPublishTime.getTime()) {
request.getRequestDispatcher("resultNotPublished").forward(request, response);
return false;
} else {
return true;
}
}
public Date getResultPublishTime() {
return resultPublishTime;
}
public void setResultPublishTime(Date resultPublishTime) {
this.resultPublishTime = resultPublishTime;
}
}
Servlet-context.xml
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/mvc"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:context="http://www.springframework.org/schema/context"
xsi:schemaLocation="http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc.xsd
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd">
<!-- DispatcherServlet Context: defines this servlet's request-processing
infrastructure -->
<!-- Enables the Spring MVC @Controller programming model -->
<annotation-driven />
<!-- Handles HTTP GET requests for /resources/** by efficiently serving
up static resources in the ${webappRoot}/resources directory -->
<resources mapping="/resources/**" location="/resources/" />
<!-- Resolves views selected for rendering by @Controllers to .jsp resources
in the /WEB-INF/views directory -->
<beans:bean
class="org.springframework.web.servlet.view.InternalResourceViewResolver">
<beans:property name="prefix" value="/WEB-INF/views/" />
<beans:property name="suffix" value=".jsp" />
</beans:bean>
<context:component-scan base-package="result" />
<beans:bean class="org.springframework.beans.factory.config.CustomEditorConfigurer">
<beans:property name="propertyEditorRegistrars">
<beans:list>
<beans:bean class="result.propertyeditor.CustomDateEditorRegistrar" />
</beans:list>
</beans:property>
</beans:bean>
<interceptors>
<interceptor>
<mapping path="/" />
<mapping path="/result" />
<beans:bean
class="result.intrceptor.ResultTimeCheckerInterceptor">
<beans:property name="resultPublishTime" value="${result.publishTime}" />
</beans:bean>
</interceptor>
</interceptors>
<context:property-placeholder location="classpath:property/application.properties" />
</beans:beans>
试试这个:
http://localhost:8080/yourApplication/result -应该被“封锁”http://localhost:8080/yourApplication/result.html -应该被“阻止”,但是也许不是http://localhost:8080/yourApplication/result/-?取决于你http://localhost:8080/yourApplication/result/x-?也取决于你本文收集自互联网,转载请注明来源。
如有侵权,请联系 [email protected] 删除。
我来说两句