Java/Servlets/Security — различия между версиями

Материал из Java эксперт
Перейти к: навигация, поиск
 
м (1 версия)
 
(нет различий)

Текущая версия на 06:11, 1 июня 2010

Password Servlet

/*
Wireless Java 2nd edition 
Jonathan Knudsen
Publisher: Apress
ISBN: 1590590775 
*/
import javax.servlet.http.*;
import javax.servlet.*;
import java.io.*;
import java.util.*;
import org.bouncycastle.crypto.Digest;
import org.bouncycastle.crypto.digests.SHA1Digest;
public class PasswordServlet extends HttpServlet {
  public void doGet(HttpServletRequest request,
      HttpServletResponse response)
      throws ServletException, IOException {
    System.out.println("user = " + request.getParameter("user"));
    System.out.println("timestamp = " + request.getParameter("timestamp"));
    System.out.println("random = " + request.getParameter("random"));
    System.out.println("digest = " + request.getParameter("digest"));
    
    // Retrieve the user name.
    String user = request.getParameter("user");
    // Look up the password for this user.
    String password = lookupPassword(user);
    // Pull the timestamp and random number (hex encoded) out
    //   of the request.
    String timestamp = request.getParameter("timestamp");
    String randomNumber = request.getParameter("random");
    
    // Compare the timestamp with the last saved
    //   timestamp for this user. Accept only timestamps
    //   that are greater than the last saved timestamp for this user.
    // [not implemented]
    
    // Gather values for the message digest.
    byte[] userBytes = user.getBytes();
    byte[] timestampBytes = HexCodec.hexToBytes(timestamp);
    byte[] randomBytes = HexCodec.hexToBytes(randomNumber);
    byte[] passwordBytes = password.getBytes();
    // Create the message digest.
    Digest digest = new SHA1Digest();
    // Calculate the digest value.
    digest.update(userBytes, 0, userBytes.length);
    digest.update(timestampBytes, 0, timestampBytes.length);
    digest.update(randomBytes, 0, randomBytes.length);
    digest.update(passwordBytes, 0, passwordBytes.length);
    byte[] digestValue = new byte[digest.getDigestSize()];
    digest.doFinal(digestValue, 0);
    
    // Now compare the digest values.
    String message = "";
    String clientDigest = request.getParameter("digest");
    if (isEqual(digestValue, HexCodec.hexToBytes(clientDigest)))
      message = "User " + user + " logged in.";
    else
      message = "Login was unsuccessful.";
    // Send a response to the client.
    response.setContentType("text/plain");
    response.setContentLength(message.length());
    PrintWriter out = response.getWriter();
    out.println(message);
  }
  
  private String lookupPassword(String user) {
    // Here you could do a real lookup based on the user name.
    //   You might look in a text file or a database. Here, I
    //   just use a hardcoded value.
    return "happy8";
  }
  
  private boolean isEqual(byte[] one, byte[] two) {
    if (one.length != two.length) return false;
    for (int i = 0; i < one.length; i++)
      if (one[i] != two[i]) return false;
    return true;
  }
}
class HexCodec {
  private static final char[] kDigits = {
    "0", "1", "2", "3", "4", "5", "6", "7", "8", "9",
    "a", "b", "c", "d", "e", "f"
  };
  
  public static char[] bytesToHex(byte[] raw) {
    int length = raw.length;
    char[] hex = new char[length * 2];
    for (int i = 0; i < length; i++) {
      int value = (raw[i] + 256) % 256;
      int highIndex = value >> 4;
      int lowIndex = value & 0x0f;
      hex[i * 2 + 0] = kDigits[highIndex];
      hex[i * 2 + 1] = kDigits[lowIndex];
    }
    return hex;
  }
  
  public static byte[] hexToBytes(char[] hex) {
    int length = hex.length / 2;
    byte[] raw = new byte[length];
    for (int i = 0; i < length; i++) {
      int high = Character.digit(hex[i * 2], 16);
      int low = Character.digit(hex[i * 2 + 1], 16);
      int value = (high << 4) | low;
      if (value > 127) value -= 256;
      raw[i] = (byte)value;
    }
    return raw;
  }
  
  public static byte[] hexToBytes(String hex) {
    return hexToBytes(hex.toCharArray());
  }
}





Restrict User IP

import java.io.IOException;
import java.io.PrintWriter;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
public class RestrictUserIP extends HttpServlet {
  public void doGet(HttpServletRequest req, HttpServletResponse resp)
      throws ServletException, IOException {
    PrintWriter out;
    /**
     * Status code (401) indicating that the request requires HTTP
     * authentication.
     */
    if (req.getRemoteAddr().equals("142.3.28.87")) {
      resp.sendError(HttpServletResponse.SC_UNAUTHORIZED);
    }
    resp.setContentType("text/html");
    out = resp.getWriter();
    out.println("<HTML>");
    out.println("<BODY>");
    out.println("<H1>");
    out.println("Hello!");
    out.println("<BR>");
    out.println("Your IP Address: " + req.getRemoteAddr());
    out.println("</H1>");
    out.println("</body>");
    out.println("</html>");
    out.close();
  }
}





Test Security

import  java.io.*;
import  java.net.*;
import  javax.servlet.*;
import  javax.servlet.http.*;
public class TestSecurity extends HttpServlet {
    String h2o = "<H2>";
    String h2c = "</H2>";
    String p = "<p>";
    /**
     * put your documentation comment here
     * @param req
     * @param res
     * @exception ServletException, IOException
     */
    public void doGet (HttpServletRequest req, HttpServletResponse res) throws ServletException, IOException {
        res.setContentType("text/html");
        PrintWriter out = res.getWriter();
        out.println("<HTML>");
        out.println("<HEAD><TITLE>Hello World</TITLE></HEAD>");
        out.println("<BODY>");
        out.println("<BIG>Test Security</BIG>");
        try {
            out.println(h2o + "Information..." + h2c);
            out.println("  Security Manager: " + getSecurityManager().getClass().getName()
                    + p);
            out.println("  ClassLoader: " + this.getClass().getClassLoader()
                    + p);
            //            weblogic.utils.classloaders.GenericClassLoader gcl = (weblogic.utils.classloaders.GenericClassLoader)this.getClass().getClassLoader();
            //            gcl.setDebug( true );
            out.println("  CodeSource: " + this.getClass().getProtectionDomain().getCodeSource().getLocation()
                    + p);
            out.println(" -- allowed -- " + p);
        } catch (Exception e) {
            out.println(" -- rejected -- " + e.getMessage() + p);
        }
        /*
         try
         {
         out.println( h2o + "Trying some dangerous J2EE calls..." + h2c );
         String hack = request.getParameter( "hack" );
         Cookie[] cookies = request.getCookies();
         out.println( " -- allowed -- " + p );
         int x = 1 + 2 + 3;
         out.println( hack );  // use it
         int y = 1 + 2 + 3;
         out.println( cookies );  // use it
         String m = "COOKIE: " + cookies[0]; // use it again
         cookies = new Cookie[10]; // reset it
         String n = "COOKIE: " + cookies[5]; // use it again
         }
         catch( Exception e ) { out.println( " -- rejected -- " + e.getMessage() + p ); }
         */
        try {
            out.println(h2o + "Attempting file write to d:/Java..." + h2c);
            File f = new File("d:/Java/blah.txt");
            FileWriter fw = new FileWriter(f);
            fw.write("test\n");
            fw.close();
            out.println(" -- allowed -- " + p);
        } catch (Exception e) {
            out.println(" -- rejected -- " + e.getMessage() + p);
        }
        try {
            out.println(h2o + "Attempting file write to d:/Java/TestServlet..."
                    + h2c);
            File f = new File("d:/Java/TestServlet/blah.txt");
            FileWriter fw = new FileWriter(f);
            fw.write("test\n");
            fw.close();
            out.println(" -- allowed -- " + p);
        } catch (Exception e) {
            out.println(" -- rejected -- " + e.getMessage() + p);
        }
        try {
            out.println(h2o + "Attempting file read to c:/Ntdetect..." + h2c);
            File f = new File("c:/Ntdetect.ru");
            FileReader fr = new FileReader(f);
            int c = fr.read();
            out.println(" -- allowed -- " + p);
        } catch (Exception e) {
            out.println(" -- rejected -- " + e.getMessage() + p);
        }
        try {
            out.println(h2o + "Attempting file read to c:/weblogic/weblogic.properties..."
                    + h2c);
            File f = new File("c:/weblogic/weblogic.properties");
            FileReader fr = new FileReader(f);
            int c = fr.read();
            out.println(" -- allowed -- " + p);
        } catch (Exception e) {
            out.println(" -- rejected -- " + e.getMessage() + p);
        }
        try {
            out.println(h2o + "Attempting to connect to yahoo.ru..." + h2c);
            Socket s = new Socket("yahoo.ru", 8080);
            out.println(" -- allowed -- " + p);
        } catch (Exception e) {
            out.println(" -- rejected -- " + e.getMessage() + p);
        }
        try {
            out.println(h2o + "Attempting to connect to hacker.ru..." + h2c);
            Socket s = new Socket("hacker.ru", 8080);
            out.println(" -- allowed -- " + p);
        } catch (Exception e) {
            out.println(" -- rejected -- " + e.getMessage() + p);
        }
        try {
            out.println(h2o + "Attempting to listen on port 37337..." + h2c);
            ServerSocket s = new ServerSocket(37337);
            Socket c = s.accept();
            out.println(" -- allowed -- " + p);
        } catch (Exception e) {
            out.println(" -- rejected -- " + e.getMessage() + p);
        }
        try {
            out.println(h2o + "Attempting to listen on port 7001..." + h2c);
            ServerSocket s = new ServerSocket(7001);
            Socket c = s.accept();
            out.println(" -- allowed -- " + p);
        } catch (Exception e) {
            out.println(" -- rejected -- " + e.getMessage() + p);
        }
        /*
         try
         {
         out.println( h2o + "Attempting native call..." + h2c );
         native0( 1 );
         out.println( " -- allowed -- " + p );
         }           
         catch( Exception e ) { out.println( " -- rejected -- " + e.getMessage() + p ); }
         */
        try {
            out.println(h2o + "Attempting exec..." + h2c);
            Runtime.getRuntime().exec("dir");
            out.println(" -- allowed -- " + p);
        } catch (Exception e) {
            out.println(" -- rejected -- " + e.getMessage() + p);
        }
        try {
            out.println(h2o + "Attempting system exit..." + h2c);
            out.println(" -- allowed -- " + p);
        } catch (Exception e) {
            out.println(" -- rejected -- " + e.getMessage() + p);
        }
        out.println("</BODY></HTML>");
    }
}