我必须在我们的网站上发布一些结果,这些结果将在特定时间发布。所以我编写了一个弹簧拦截器,它不允许请求在指定时间之前通过。我还成功维护了结果日志。
除了一些请求在时间之前记录,一切正常。这意味着有人设法绕过拦截器并且可以在时间之前看到结果。
任何人都可以告诉我,入侵者如何在时间之前看到结果? 我在我的应用程序中使用Spring MVC和Spring JDBC。
拦截器 -
import java.util.Calendar;
import java.util.Date;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.springframework.stereotype.Component;
import org.springframework.web.servlet.handler.HandlerInterceptorAdapter;
public class ResultTimeCheckerInterceptor extends HandlerInterceptorAdapter {
private Date resultPublishTime;
@Override
public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) throws Exception {
Calendar cal = Calendar.getInstance();
long currentTime = cal.getTimeInMillis();
if (currentTime < resultPublishTime.getTime()) {
request.getRequestDispatcher("resultNotPublished").forward(request, response);
return false;
} else {
return true;
}
}
public Date getResultPublishTime() {
return resultPublishTime;
}
public void setResultPublishTime(Date resultPublishTime) {
this.resultPublishTime = resultPublishTime;
}
}
Servlet的context.xml中
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/mvc"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:context="http://www.springframework.org/schema/context"
xsi:schemaLocation="http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc.xsd
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd">
<!-- DispatcherServlet Context: defines this servlet's request-processing
infrastructure -->
<!-- Enables the Spring MVC @Controller programming model -->
<annotation-driven />
<!-- Handles HTTP GET requests for /resources/** by efficiently serving
up static resources in the ${webappRoot}/resources directory -->
<resources mapping="/resources/**" location="/resources/" />
<!-- Resolves views selected for rendering by @Controllers to .jsp resources
in the /WEB-INF/views directory -->
<beans:bean
class="org.springframework.web.servlet.view.InternalResourceViewResolver">
<beans:property name="prefix" value="/WEB-INF/views/" />
<beans:property name="suffix" value=".jsp" />
</beans:bean>
<context:component-scan base-package="result" />
<beans:bean class="org.springframework.beans.factory.config.CustomEditorConfigurer">
<beans:property name="propertyEditorRegistrars">
<beans:list>
<beans:bean class="result.propertyeditor.CustomDateEditorRegistrar" />
</beans:list>
</beans:property>
</beans:bean>
<interceptors>
<interceptor>
<mapping path="/" />
<mapping path="/result" />
<beans:bean
class="result.intrceptor.ResultTimeCheckerInterceptor">
<beans:property name="resultPublishTime" value="${result.publishTime}" />
</beans:bean>
</interceptor>
</interceptors>
<context:property-placeholder location="classpath:property/application.properties" />
</beans:beans>
答案 0 :(得分:0)
试试这个:
http://localhost:8080/yourApplication/result - 应该被“屏蔽”http://localhost:8080/yourApplication/result.html - 应该被“阻止”但mybe却没有http://localhost:8080/yourApplication/result/ - ?取决于你http://localhost:8080/yourApplication/result/x - ?也取决于你