urlrewrite-------解决大型WEB系统URL暴露安全问题

未经过改写的WEB系统的URL可以泄漏工程文件的目录，为了保证WEB系统的安全，免遭黑客的攻击，我们通常要对URL进行重写，目的就是使访问者看不到真实的路径，从而可以减少黑客攻击的可能性，下面给出一个简单的登陆例子,将http://localhost:8080/urlrewrite/login.do改写为http://localhost:8080/urlrewrite/mylogin/

1.首先去CSDN下载频道搜索urlrewrite-2.6.0.jar这个文件，然后将其放在工程目录的WEB-INFO/LIB下。

2.配置web.xml

<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" version="2.5" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee   http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd">
  <servlet>
    <servlet-name>action</servlet-name>
    <servlet-class>org.apache.struts.action.ActionServlet</servlet-class>
    <init-param>
      <param-name>config</param-name>
      <param-value>/WEB-INF/struts-config.xml</param-value>
    </init-param>
    <init-param>
      <param-name>debug</param-name>
      <param-value>3</param-value>
    </init-param>
    <init-param>
      <param-name>detail</param-name>
      <param-value>3</param-value>
    </init-param>
    <load-on-startup>0</load-on-startup>
  </servlet>
  <servlet-mapping>
    <servlet-name>action</servlet-name>
    <url-pattern>*.do</url-pattern>
  </servlet-mapping>
  <filter>
		<filter-name>UrlRewriteFilter</filter-name>
		<filter-class>
			org.tuckey.web.filters.urlrewrite.UrlRewriteFilter
		</filter-class>
		<init-param>
			<param-name>logLevel</param-name>
			<param-value>WARN</param-value>
		</init-param>
	</filter>
	<filter-mapping>
		<filter-name>UrlRewriteFilter</filter-name>
		<url-pattern>/*</url-pattern>
		<dispatcher>REQUEST</dispatcher>
		<dispatcher>FORWARD</dispatcher>
	</filter-mapping>
  <welcome-file-list>
    <welcome-file>login.jsp</welcome-file>
  </welcome-file-list>
</web-app>

3.编写页面login.jsp.success.jsp以及failure.jsp

login.jsp
<%@ page language="java" import="java.util.*" pageEncoding="utf-8"%>
<%@ taglib uri="http://java.sun.com/jsp/jstl/core"prefix="c"%>
<%
String path = request.getContextPath();
String basePath = request.getScheme()+"://"+request.getServerName()+":"+request.getServerPort()+path+"/";
%>
<html>
  <body>
    <form action="<c:url value='/login.do'/>" method="post">
    <center> 
    用户名:<input type="text" name="username"/>
    密     码:<input type="password" name="password"/>
    <input type="submit"value="提交"/>
      </center>
    </form>
  </body>
</html>
success.jsp
<%@ page language="java" import="java.util.*" pageEncoding="utf-8"%>
<html>
  <body>
    success!
  </body>
</html>
failure.jsp
<%@ page language="java" import="java.util.*" pageEncoding="utf-8"%>
<html>
  <body>
    failure!
  </body>
</html>

4.编写action处理类及其配置struts-config.properties

LoginAction.java
package com.zxc.struts.action;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.struts.action.Action;
import org.apache.struts.action.ActionForm;
import org.apache.struts.action.ActionForward;
import org.apache.struts.action.ActionMapping;
public class LoginAction extends Action {
	public ActionForward execute(ActionMapping mapping, ActionForm form,
			HttpServletRequest request, HttpServletResponse response) {
		// TODO Auto-generated method stub
		String username=request.getParameter("username")==null?"":request.getParameter("username");
		String password=request.getParameter("password")==null?"":request.getParameter("password");
		if(username.equals("java")&&password.equals("java"))
			return mapping.findForward("success");
		else
			return mapping.findForward("failure");
	}
}
struts-config.properties
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE struts-config PUBLIC "-//Apache Software Foundation//DTD Struts Configuration 1.3//EN" "http://struts.apache.org/dtds/struts-config_1_3.dtd">
<struts-config>
  <form-beans />
  <global-exceptions />
  <global-forwards />
  <action-mappings >
    <action
      path="/login"
      type="com.zxc.struts.action.LoginAction"
      cancellable="true" >
      <forward name="success" path="/success.jsp"/>
      <forward name="failure" path="/failure.jsp"/>
      </action>
  </action-mappings>
  <message-resources parameter="com.zxc.struts.ApplicationResources" />
</struts-config>

5.配置urlrewrite.xml文件，注意将其放到与web.xml同级目录中，并且配置的时候正向和逆向都得配置

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE urlrewrite PUBLIC "-//tuckey.org//DTD UrlRewrite 2.6//EN"
        "http://tuckey.org/res/dtds/urlrewrite2.6.dtd">
	<!--
		Configuration file for UrlRewriteFilter http://tuckey.org/urlrewrite/
	-->
<urlrewrite>
	<!-- 正向 -->
	<rule>
		<note>
			Login
        </note>
		<from>^/mylogin[/]?$</from>
		<to>/login.do</to>
	</rule>
	<!-- 逆向 -->
	<!-- Copy of invoice order -->
	<outbound-rule>
		<note>Login</note>
		<from>/login.do</from>
		<to>/mylogin/</to>
	</outbound-rule>
</urlrewrite>

6.运行结果

输入用户名和密码之后，你会发现浏览器的地址变成了http://localhost:8080/urlrewrite/mylogin/