appscan问题修改

1.会话标识未更新：登录页面加入以下代码 

request.getSession(true).invalidate();//清空session
Cookie cookie = request.getCookies()[0];//获取cookie
cookie.setMaxAge(0);//让cookie过期

不是很明白session的机制，高手路过可以指教一下。 
2.跨站点请求伪造： 
在出错的url加参数sessionid。 

response.getWriter().write( "<script>parent.location.href='dbase/admin/loginJsp.action?sessionId="+sessionId+"'</script>");

如果带参数报ssl错误，使用下面的post方式传值： 

response.getWriter().write(
                "<script language=\"javascript\"> " +
                "document.write(\"<form action=dbase/admin/loginJsp.action method=post name=formx1 style='display:none'>\");" +
                "document.write(\"<input type=hidden name=name value='"+sessionId+"'\");" +
                "document.write(\"</form>\");" +
                "document.formx1.submit();" +
                "</script>"
                );

3.启用不安全HTTP方法 

修改web工程中或者服务器web.xml,增加安全配置信息，禁用不必要HTTP方法
  <security-constraint>
   <web-resource-collection>
      <url-pattern>/*</url-pattern>
      <http-method>PUT</http-method>
      <http-method>DELETE</http-method>
      <http-method>HEAD</http-method>
      <http-method>OPTIONS</http-method>
      <http-method>TRACE</http-method>
   </web-resource-collection>
   <auth-constraint>
   </auth-constraint>
 </security-constraint>
 <login-config>
   <auth-method>BASIC</auth-method>
 </login-config>

4.已解密登录请求 
配置SSL，具体见http://serisboy.iteye.com/admin/blogs/1320231 
在web.xml加入如下配置。 

<security-constraint>
       <web-resource-collection >
              <web-resource-name >SSL</web-resource-name>
              <url-pattern>/*</url-pattern>
       </web-resource-collection>
       <user-data-constraint>
              <transport-guarantee>CONFIDENTIAL</transportguarantee>
       </user-data-constraint>
</security-constraint>

5.高速缓存的ssl页面 

页面
<meta http-equiv="Pragma" contect="no-cache">

 

java代码
response.setHeader("Pragma", "No-cache");

6.目录列表 
配置文件目标拒绝访问。 
在conf/web.xml下: 

<servlet>
<servlet-name> default </servlet-name>
<servlet-class> org.apache.catalina.servlets.DefaultServlet </servlet-class>
<init-param>
<param-name> debug </param-name>
<param-value> 0 </param-value>
</init-param>
<init-param>
<param-name> listings </param-name>
<param-value> false </param-value>
</init-param>
<load-on-startup> 1 </load-on-startup>
</servlet>

把listings对应的value设置为fasle. 
或者把上面的这个servlet加到你的虚拟路径下的web-inf/web.xml   中,把 
servlet-name改为其它的,再加一下servlet-mapping 

<servlet>
<servlet-name> default1 </servlet-name>
<servlet-class> org.apache.catalina.servlets.DefaultServlet </servlet-class>
<init-param>
<param-name> debug </param-name>
<param-value> 0 </param-value>
</init-param>
<init-param>
<param-name> listings </param-name>
<param-value> false </param-value>
</init-param>
<load-on-startup> 1 </load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name> default1 </servlet-name>
        <url-pattern> / </url-pattern>
<servlet-mapping>