验证码

为防止暴力登录而采用的随机验证码在很多网站的登录上经常见到，我这里用Struts+Servlet简单实现登录验证码，贴出来与大家一起交流。
原理就是利用在Servlet中产生4个数字与字母随机组合的验证码，存放到request的Session中，当用户加载登录页面的同时，发送一个请求给Servlet产生随机的验证码，并在登录页面以图片的形式展示在用户面前，当用户填完登录信息提交时，由Struts的Action从用户的请求中获得用户在界面上输入的验证码，并与session中的验证码进行比对，如果两者不一致则返回到登录界面，并刷新验证码，如果两者一致则继续进行后续的其它验证。当用户在界面看到的验证码不清晰，可以重复单击刷新验证码，直到看到清晰的图片为止，刷新验证码图片是通过页面JavaScript脚本控制的，其实就是重新发送一次请求给Servlet，重新产生随机验证码并更换Session中的旧验证码。
登录页面login.jsp的代码如下：
<%...@ page language="Java" pageEncoding="UTF-8"%>
<%...@ taglib uri="http://jakarta.apache.org/struts/tags-html" prefix="html"%>
<html>
    <head>
        <title>登录页面</title>
        <script type="text/Javascript">
        // 刷新验证码图片
            function refresh(obj){
                obj.src="check";
            }
    </script>
    </head>
    <body>
        <html:form action="/login">
            用户名 : <html:text property="userName" />
            <html:errors property="userName" />
            <br />
            验证码：<input />
                                &nbsp;<img src="check"
                title="看不清？单击换一张图片">
                                &nbsp;<html:errors property="checkCodeErr" /><p/>
            <html:submit value="登录" />
        </html:form>
    </body>
</html>
注意：验证码的图片标签<img>中的src属性值为产生随机验证码的Servlet对应的映射路径，这样只要一打开页面图片就会显示，刷新也是一样。
<html:errors property="checkCodeErr" />用来显示验证出错的提示信息
产生随机验证码的Servlet代码如下，是从张孝祥老师的一本书中参考略做修改得来的，具体哪本书记不起来了。
package org.mfs.utils;
import Java.awt.Color;
import Java.awt.Font;
import Java.awt.Graphics;
import Java.awt.image.BufferedImage;
import Java.io.ByteArrayOutputStream;
import Java.io.IOException;
import Javax.imageio.ImageIO;
import Javax.servlet.ServletException;
import Javax.servlet.ServletOutputStream;
import Javax.servlet.http.HttpServlet;
import Javax.servlet.http.HttpServletRequest;
import Javax.servlet.http.HttpServletResponse;
import Javax.servlet.http.HttpSession;
@SuppressWarnings("serial")
public class CheckCodeServlet extends HttpServlet {
    private static int WIDTH=60;
    private static int HEIGHT=20;
    public void doGet(HttpServletRequest request, HttpServletResponse response)
            throws ServletException, IOException {
        HttpSession session = request.getSession();   
        response.setContentType("image/jpeg");
        ServletOutputStream sos = response.getOutputStream();
       
        response.setHeader("Pragma", "No-cache");
        response.setHeader("Cache-Control", "no-cache");
        response.setDateHeader("Expires", 0);
       
        BufferedImage image = new BufferedImage(WIDTH,HEIGHT,BufferedImage.TYPE_INT_RGB);
        Graphics g=image.getGraphics();
       
        char[] rands = generateCheckCode();
        drawBackground(g);
        drawRands(g,rands);
        g.dispose();
       
        ByteArrayOutputStream bos= new ByteArrayOutputStream();
        ImageIO.write(image,"JPEG",bos);
        byte[] buf = bos.toByteArray();
        response.setContentLength(buf.length);
        sos.write(buf);
        bos.close();
        sos.close();
        session.setAttribute("check_code", new String(rands));
    }
   
    private void drawBackground(Graphics g) ...{
        g.setColor(new Color(0xDCDCDC));
        g.fillRect(0, 0, WIDTH, HEIGHT);
        for(int i=0;i<120;i++)...{
            int x = (int)(Math.random()*WIDTH);
            int y = (int)(Math.random()*HEIGHT);
            int red = (int)(Math.random()*255);
            int green = (int)(Math.random()*255);
            int blue = (int)(Math.random()*255);
            g.setColor(new Color(red,green,blue));
            g.drawOval(x, y, 1, 0);
        }
    }
    private void drawRands(Graphics g, char[] rands) ...{
        g.setColor(Color.BLACK);
        g.setFont(new Font(null,Font.ITALIC|Font.BOLD,18));
        g.drawString(""+rands[0], 1, 17);
        g.drawString(""+rands[1], 16, 15);
        g.drawString(""+rands[2], 31, 18);
        g.drawString(""+rands[3], 46, 16);
    }
    private char[] generateCheckCode() ...{
        String chars = "0123456789abcdefghijklmnopqrstuvwxyz";
        char[] rands = new char[4];
        for(int i=0;i<4;i++)...{
            int rand = (int)(Math.random()*36);
            rands[i]=chars.charAt(rand);
        }
        return rands;
    }
    public void doPost(HttpServletRequest request, HttpServletResponse response)
            throws ServletException, IOException ...{
        this.doGet(request, response);
    }
}
CheckCodeServlet.Java在web.Xml中的映射路径设置:
<servlet>
    <servlet-name>CheckCodeServlet</servlet-name>
    <servlet-class>com..CheckCodeyame.utilsServlet</servlet-class>
</servlet>
<servlet-mapping>
    <servlet-name>CheckCodeServlet</servlet-name>
    <url-pattern>/check</url-pattern>
</servlet-mapping>
负责处理对比用户输入的验证码与session中验证码的Action代码如下：
package org.mfs.struts.action;
import Javax.servlet.http.HttpServletRequest;
import Javax.servlet.http.HttpServletResponse;
import Javax.servlet.http.HttpSession;
import org.apache.struts.action.Action;
import org.apache.struts.action.ActionForm;
import org.apache.struts.action.ActionForward;
import org.apache.struts.action.ActionMapping;
import org.apache.struts.action.ActionMessage;
import org.apache.struts.action.ActionMessages;
public class LoginAction extends Action ...{
   
    public ActionForward execute(ActionMapping mapping, ActionForm form,
            HttpServletRequest request, HttpServletResponse response) ...{
//        验证随机验证码是否填写正确
        String checkCode=request.getParameter("checkCode");
        HttpSession session = request.getSession();
        if(!checkCode.equals((String)session.getAttribute("check_code")))...{
　　　　// 加入错误提示信息
            ActionMessages errors=new ActionMessages();
            errors.add("checkCodeErr", new ActionMessage("error.checkCodeError"));
            this.addErrors(request, errors);
              // 出错则回到登录界面
            return mapping.findForward("index");
        }else
            return mapping.findForward("success");
    }
}
Struts配置文件：struts-config.Xml
<?Xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE struts-config PUBLIC "-//Apache Software Foundation//DTD Struts Configuration 1.2//EN" "http://struts.apache.org/dtds/struts-config_1_2.dtd">
<struts-config>
<data-sources />
<form-beans >
    <form-bean type="com.yame.struts.form.LoginForm" />
</form-beans>
<global-exceptions />
<global-forwards />
<action-mappings >
    <action
      attribute="loginForm"
      input="/login.jsp"
     
      path="/login"
      scope="request"
      type="com.yame.struts.action.LoginAction" >
      <forward path="/login.jsp" />
      <forward path="/welcome.jsp" />
    </action>

</action-mappings>
<message-resources parameter="com.yame.struts.ApplicationResources" />
</struts-config>

资源文件ApplicationResources.properties中就一句：
error.checkCodeError＝<font color=red>\u9a8c\u8bc1\u7801\u6709\u8bef!</font>
因为这里主要是为了介绍验证码，没对其它字段进行任何验证，当验证码出错则回到登录界面，并显示错误信息，正确则跳转到welcome.jsp,随便打印一句话。
welcome.jsp:
<%...@ page language="Java" import="Java.util.*" pageEncoding="UTF-8"%>
<%...
String path = request.getContextPath();
String basePath = request.getScheme()+"://"+request.getServerName()+":"+request.getServerPort()+path+"/";
%>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
    <base href="<%=basePath%>">
   
    <title>My JSP 'welcome.jsp' starting page</title>
   
    <meta http-equiv="pragma" content="no-cache">
    <meta http-equiv="cache-control" content="no-cache">
    <meta http-equiv="expires" content="0">   
    <meta http-equiv="keywords" content="keyword1,keyword2,keyword3">
    <meta http-equiv="description" content="This is my page">
    <!--
    <link rel="stylesheet" type="text/css" href="styles.css">
    -->
</head>

<body>
    验证码验证成功！！
</body>
</html>