我将参数传递给servlet以生成excel电子表格。然后我意识到在某些情况下这可能是危险的。特别是如果用户可以猜测参数并从另一家公司(在我的情况下)中找到信息。然后我尝试使用@Inject注入ViewLines sessionbean,但这似乎不起作用。然后我使用request.getSession()方法查看a post from BalusC。这工作正常,这只是从会话中拉出我需要的对象而不必传递它们。这是最好的方法吗?
感谢。
@WebServlet(value = "/Excel")
public class ExcelServlet extends HttpServlet {
public static int TIME_STAMP = 1;
public static int OUNCES = 2;
public static int REV = 3;
public static int BENCHMARK = 4;
public static int WORKBOOK = 0;
@EJB
PkgLoadService pkgLoadService;
@EJB
PkgLineService pkgLineService;
private SimpleDateFormat sdf = new SimpleDateFormat("yyMMddHHmmssZ");
@Override
public void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
OutputStream out = null;
try {
ViewLines viewLines = (ViewLines) request.getSession().getAttribute("viewLines");
/*Date startDate = sdf.parse(request.getParameter("dateStart"));
Date endDate = sdf.parse(request.getParameter("dateEnd"));
PkgLine pkgLine = pkgLineService.find(Integer.parseInt(request.getParameter("pkgLineId")));
*
*/
Date startDate = viewLines.getStartDate();
Date endDate = viewLines.getEndDate();
PkgLine pkgLine = viewLines.getSelectedPkgLine();
response.setContentType("application/vnd.ms-excel");
response.setHeader("Content-Disposition", "attachment; filename=" + pkgLine.getShortname() + ".xls");
WritableWorkbook workBook = Workbook.createWorkbook(response.getOutputStream());
WritableSheet sheet = workBook.createSheet(pkgLine.getShortname(), WORKBOOK);
WritableCellFormat dateFormat = new WritableCellFormat(DateFormats.FORMAT9);
WritableCellFormat ouncesOverFormat = new WritableCellFormat();
ouncesOverFormat.setBackground(Colour.RED);
setupCellViews(sheet);
setupColumnLables(sheet);
List<PkgLoad> pkgLoadList = pkgLoadService.findBetweenDates(pkgLine, startDate, endDate);
int row = 1;
for (PkgLoad pkgLoad : pkgLoadList) {
sheet.addCell(new Number(0, row, row));
sheet.addCell(new DateTime(TIME_STAMP, row, pkgLoad.getTimeStamp(), dateFormat));
if (pkgLoad.getOunces() > pkgLoad.getWrapSpecId().getBenchmark()) {
sheet.addCell(new Number(OUNCES, row, pkgLoad.getOunces(), ouncesOverFormat));
} else {
sheet.addCell(new Number(OUNCES, row, pkgLoad.getOunces()));
}
sheet.addCell(new Number(REV, row, pkgLoad.getRevolutions()));
sheet.addCell(new Number(BENCHMARK, row, pkgLoad.getWrapSpecId().getBenchmark()));
row++;
}
workBook.write();
workBook.close();
} catch (Exception e) {
throw new ServletException("Exception in Excel Servlet", e);
} finally {
if (out != null) {
out.close();
}
}
}
答案 0 :(得分:1)
另一种方法是将Excel事物重构为如下方法:
void writeExcelSheet(ViewLines viewLines, OutputStream output) throws IOException
然后你可以在JSF动作方法中完成这项工作,而无需将其重定向到servlet:
FacesContext facesContext = FacesContext.getCurrentInstance();
ExternalContext externalContext = facesContext.getExternalContext();
externalContext.setResponseContentType("application/vnd.ms-excel");
externalContext.setResponseHeader("Content-Disposition", "attachment; filename=" + pkgLine.getShortname() + ".xls");
writeExcelSheet(viewLines, externalContext.getResponseOutputStream());
facesContext.responseComplete();
如果有必要,在servlet中重用它(我不认为它,看到你现在遇到的问题:)):
response.setContentType("application/vnd.ms-excel");
response.setHeader("Content-Disposition", "attachment; filename=" + pkgLine.getShortname() + ".xls");
writeExcelSheet(viewLines, response.getOutputStream());
答案 1 :(得分:0)
特别是如果用户可以猜测参数并从另一家公司中查找信息(在我的情况下)。
假设您指的是URL参数,例如/Excel?companyid=1234,那么另一种方法是检查您的Servlet /控制器是否允许当前用户查看他们请求的对象(您没有某种排序)在这里进行身份验证和授权,不是吗?)。
答案 2 :(得分:0)
如果您只需要请求范围的对象,请使用request.setAttribute() 如果你把东西放在会话中你会冒内存问题。通常,会话是维护浏览器请求之间的会话状态。听起来你的应用程序不需要状态。