Servlet3.0规范中的<tracking-mode>允许你定义JSESSIONID是存储在cookie中还是URL参数中。如果会话ID存储在URL中,那么它可能会被无意的存储
在多个地方,包括浏览器历史、代理服务器日志、引用日志和web日志等。暴露了会话ID使得网站被session劫持攻击的几率大增。
在用CAS做系统单点登录时,在成功的跳转后,链接会带上;jsessionid=xxx的情况,下面就是如何去掉jssessionid的方法:
1.在项目的web.xml中加上下面的配置
<session-config>
<session-timeout>30</session-timeout>
<tracking-mode>COOKIE</tracking-mode>
</session-config>
2.如果上面的方法没有解决问题,可以尝试下面的方法(html带上;jsessionid=xxx会报错,所以,要在跳转前讲;jsessionid=xxx去掉,
默认第一次访问的时候,如果session没值,就会带上;jsessionid=xxx):
public static final String cleanupUrl(final String url) {
if (url == null) {
return null;
}
final int jsessionPosition = url.indexOf(";jsession");
if (jsessionPosition == -1) {
return url;
}
final int questionMarkPosition = url.indexOf("?");
if (questionMarkPosition < jsessionPosition) {
return url.substring(0, url.indexOf(";jsession"));
}
return url.substring(0, jsessionPosition)
+ url.substring(questionMarkPosition);
}
default:
//return new ExternalRedirect(serviceResponse.getUrl());//注释源码
return new ExternalRedirect(UrlUtils.cleanupUrl(serviceResponse.getUrl()));//清除url中jsessionid
(注意版本的不同,但是只要找到处理链接的的文件就可以,在3.5.2的版本中,只需要修改CommonUtils的文件即可)
/**
* Licensed to Jasig under one or more contributor license
* agreements. See the NOTICE file distributed with this work
* for additional information regarding copyright ownership.
* Jasig licenses this file to you under the Apache License,
* Version 2.0 (the "License"); you may not use this file
* except in compliance with the License. You may obtain a
* copy of the License at:
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on
* an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
* under the License.
*/ package org.jasig.cas.client.util; import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.jasig.cas.client.proxy.ProxyGrantingTicketStorage;
import org.jasig.cas.client.validation.ProxyList;
import org.jasig.cas.client.validation.ProxyListEditor; import javax.net.ssl.HostnameVerifier;
import javax.net.ssl.HttpsURLConnection;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse; import java.io.IOException;
import java.io.UnsupportedEncodingException;
import java.io.BufferedReader;
import java.io.InputStreamReader;
import java.net.URLConnection;
import java.net.URLEncoder;
import java.net.URL;
import java.net.HttpURLConnection;
import java.net.MalformedURLException;
import java.text.DateFormat;
import java.text.SimpleDateFormat;
import java.util.Collection;
import java.util.Date;
import java.util.TimeZone; /**
* Common utilities so that we don't need to include Commons Lang.
*
* @author Scott Battaglia
* @version $Revision: 11729 $ $Date: 2007-09-26 14:22:30 -0400 (Tue, 26 Sep
* 2007) $
* @since 3.0
*/
public final class CommonUtils { /** Instance of Commons Logging. */
private static final Log LOG = LogFactory.getLog(CommonUtils.class); /**
* Constant representing the ProxyGrantingTicket IOU Request Parameter.
*/
private static final String PARAM_PROXY_GRANTING_TICKET_IOU = "pgtIou"; /**
* Constant representing the ProxyGrantingTicket Request Parameter.
*/
private static final String PARAM_PROXY_GRANTING_TICKET = "pgtId"; private CommonUtils() {
// nothing to do
} public static String formatForUtcTime(final Date date) {
final DateFormat dateFormat = new SimpleDateFormat(
"yyyy-MM-dd'T'HH:mm:ss'Z'");
dateFormat.setTimeZone(TimeZone.getTimeZone("UTC"));
return dateFormat.format(date);
} /**
* Check whether the object is null or not. If it is, throw an exception and
* display the message.
*
* @param object
* the object to check.
* @param message
* the message to display if the object is null.
*/
public static void assertNotNull(final Object object, final String message) {
if (object == null) {
throw new IllegalArgumentException(message);
}
} /**
* Check whether the collection is null or empty. If it is, throw an
* exception and display the message.
*
* @param c
* the collecion to check.
* @param message
* the message to display if the object is null.
*/
public static void assertNotEmpty(final Collection<?> c,
final String message) {
assertNotNull(c, message);
if (c.isEmpty()) {
throw new IllegalArgumentException(message);
}
} /**
* Assert that the statement is true, otherwise throw an exception with the
* provided message.
*
* @param cond
* the codition to assert is true.
* @param message
* the message to display if the condition is not true.
*/
public static void assertTrue(final boolean cond, final String message) {
if (!cond) {
throw new IllegalArgumentException(message);
}
} /**
* Determines whether the String is null or of length 0.
*
* @param string
* the string to check
* @return true if its null or length of 0, false otherwise.
*/
public static boolean isEmpty(final String string) {
return string == null || string.length() == 0;
} /**
* Determines if the String is not empty. A string is not empty if it is not
* null and has a length > 0.
*
* @param string
* the string to check
* @return true if it is not empty, false otherwise.
*/
public static boolean isNotEmpty(final String string) {
return !isEmpty(string);
} /**
* Determines if a String is blank or not. A String is blank if its empty or
* if it only contains spaces.
*
* @param string
* the string to check
* @return true if its blank, false otherwise.
*/
public static boolean isBlank(final String string) {
return isEmpty(string) || string.trim().length() == 0;
} /**
* Determines if a string is not blank. A string is not blank if it contains
* at least one non-whitespace character.
*
* @param string
* the string to check.
* @return true if its not blank, false otherwise.
*/
public static boolean isNotBlank(final String string) {
return !isBlank(string);
} /**
* Constructs the URL to use to redirect to the CAS server.
*
* @param casServerLoginUrl
* the CAS Server login url.
* @param serviceParameterName
* the name of the parameter that defines the service.
* @param serviceUrl
* the actual service's url.
* @param renew
* whether we should send renew or not.
* @param gateway
* where we should send gateway or not.
* @return the fully constructed redirect url.
*/
public static String constructRedirectUrl(final String casServerLoginUrl,
final String serviceParameterName, final String serviceUrl,
final boolean renew, final boolean gateway) {
try {
return casServerLoginUrl
+ (casServerLoginUrl.indexOf("?") != -1 ? "&" : "?")
+ serviceParameterName + "="
+ URLEncoder.encode(serviceUrl, "UTF-8")
+ (renew ? "&renew=true" : "")
+ (gateway ? "&gateway=true" : "");
} catch (final UnsupportedEncodingException e) {
throw new RuntimeException(e);
}
} public static void readAndRespondToProxyReceptorRequest(
final HttpServletRequest request,
final HttpServletResponse response,
final ProxyGrantingTicketStorage proxyGrantingTicketStorage)
throws IOException {
final String proxyGrantingTicketIou = request
.getParameter(PARAM_PROXY_GRANTING_TICKET_IOU); final String proxyGrantingTicket = request
.getParameter(PARAM_PROXY_GRANTING_TICKET); if (CommonUtils.isBlank(proxyGrantingTicket)
|| CommonUtils.isBlank(proxyGrantingTicketIou)) {
response.getWriter().write("");
return;
} if (LOG.isDebugEnabled()) {
LOG.debug("Received proxyGrantingTicketId [" + proxyGrantingTicket
+ "] for proxyGrantingTicketIou [" + proxyGrantingTicketIou
+ "]");
} proxyGrantingTicketStorage.save(proxyGrantingTicketIou,
proxyGrantingTicket); if (LOG.isDebugEnabled()) {
LOG.debug("Successfully saved proxyGrantingTicketId ["
+ proxyGrantingTicket + "] for proxyGrantingTicketIou ["
+ proxyGrantingTicketIou + "]");
} response.getWriter().write("<?xml version=\"1.0\"?>");
response.getWriter()
.write("<casClient:proxySuccess xmlns:casClient=\"http://www.yale.edu/tp/casClient\" />");
} /**
* Constructs a service url from the HttpServletRequest or from the given
* serviceUrl. Prefers the serviceUrl provided if both a serviceUrl and a
* serviceName.
*
* @param request
* the HttpServletRequest
* @param response
* the HttpServletResponse
* @param service
* the configured service url (this will be used if not null)
* @param serverName
* the server name to use to constuct the service url if the
* service param is empty
* @param artifactParameterName
* the artifact parameter name to remove (i.e. ticket)
* @param encode
* whether to encode the url or not (i.e. Jsession).
* @return the service url to use.
*/
public static String constructServiceUrl(final HttpServletRequest request,
final HttpServletResponse response, final String service,
final String serverName, final String artifactParameterName,
final boolean encode) {
if (CommonUtils.isNotBlank(service)) {
return encode ? response.encodeURL(service) : service;
} final StringBuilder buffer = new StringBuilder(); if (!serverName.startsWith("https://")
&& !serverName.startsWith("http://")) {
buffer.append(request.isSecure() ? "https://" : "http://");
} buffer.append(serverName);
buffer.append(request.getRequestURI()); if (CommonUtils.isNotBlank(request.getQueryString())) {
final int location = request.getQueryString().indexOf(
artifactParameterName + "="); if (location == 0) {
final String returnValue = encode ? response.encodeURL(buffer
.toString()) : buffer.toString();
if (LOG.isDebugEnabled()) {
LOG.debug("serviceUrl generated: " + returnValue);
}
return cleanupUrl(returnValue);
} buffer.append("?"); if (location == -1) {
buffer.append(request.getQueryString());
} else if (location > 0) {
final int actualLocation = request.getQueryString().indexOf(
"&" + artifactParameterName + "="); if (actualLocation == -1) {
buffer.append(request.getQueryString());
} else if (actualLocation > 0) {
buffer.append(request.getQueryString().substring(0,
actualLocation));
}
}
} final String returnValue = encode ? response.encodeURL(buffer
.toString()) : buffer.toString();
if (LOG.isDebugEnabled()) {
LOG.debug("serviceUrl generated: " + returnValue);
}
return cleanupUrl(returnValue);
} /**
* Safe method for retrieving a parameter from the request without
* disrupting the reader UNLESS the parameter actually exists in the query
* string.
* <p>
* Note, this does not work for POST Requests for "logoutRequest". It works
* for all other CAS POST requests because the parameter is ALWAYS in the
* GET request.
* <p>
* If we see the "logoutRequest" parameter we MUST treat it as if calling
* the standard request.getParameter.
*
* @param request
* the request to check.
* @param parameter
* the parameter to look for.
* @return the value of the parameter.
*/
public static String safeGetParameter(final HttpServletRequest request,
final String parameter) {
if ("POST".equals(request.getMethod())
&& "logoutRequest".equals(parameter)) {
LOG.debug("safeGetParameter called on a POST HttpServletRequest for LogoutRequest. Cannot complete check safely. Reverting to standard behavior for this Parameter");
return request.getParameter(parameter);
}
return request.getQueryString() == null
|| request.getQueryString().indexOf(parameter) == -1 ? null
: request.getParameter(parameter);
} /**
* Contacts the remote URL and returns the response.
*
* @param constructedUrl
* the url to contact.
* @param encoding
* the encoding to use.
* @return the response.
*/
public static String getResponseFromServer(final URL constructedUrl,
final String encoding) {
return getResponseFromServer(constructedUrl,
HttpsURLConnection.getDefaultHostnameVerifier(), encoding);
} /**
* Contacts the remote URL and returns the response.
*
* @param constructedUrl
* the url to contact.
* @param hostnameVerifier
* Host name verifier to use for HTTPS connections.
* @param encoding
* the encoding to use.
* @return the response.
*/
public static String getResponseFromServer(final URL constructedUrl,
final HostnameVerifier hostnameVerifier, final String encoding) {
URLConnection conn = null;
try {
conn = constructedUrl.openConnection();
if (conn instanceof HttpsURLConnection) {
((HttpsURLConnection) conn)
.setHostnameVerifier(hostnameVerifier);
}
final BufferedReader in; if (CommonUtils.isEmpty(encoding)) {
in = new BufferedReader(new InputStreamReader(
conn.getInputStream()));
} else {
in = new BufferedReader(new InputStreamReader(
conn.getInputStream(), encoding));
} String line;
final StringBuilder stringBuffer = new StringBuilder(255); while ((line = in.readLine()) != null) {
stringBuffer.append(line);
stringBuffer.append("\n");
}
return stringBuffer.toString();
} catch (final Exception e) {
LOG.error(e.getMessage(), e);
throw new RuntimeException(e);
} finally {
if (conn != null && conn instanceof HttpURLConnection) {
((HttpURLConnection) conn).disconnect();
}
} } /**
* Contacts the remote URL and returns the response.
*
* @param url
* the url to contact.
* @param encoding
* the encoding to use.
* @return the response.
*/
public static String getResponseFromServer(final String url, String encoding) {
try {
return getResponseFromServer(new URL(url), encoding);
} catch (final MalformedURLException e) {
throw new IllegalArgumentException(e);
}
} public static ProxyList createProxyList(final String proxies) {
if (CommonUtils.isBlank(proxies)) {
return new ProxyList();
} final ProxyListEditor editor = new ProxyListEditor();
editor.setAsText(proxies);
return (ProxyList) editor.getValue();
} /**
* Sends the redirect message and captures the exceptions that we can't
* possibly do anything with.
*
* @param response
* the HttpServletResponse. CANNOT be NULL.
* @param url
* the url to redirect to.
*/
public static void sendRedirect(final HttpServletResponse response,
final String url) {
try {
response.sendRedirect(url);
} catch (final Exception e) {
LOG.warn(e.getMessage(), e);
} } /**
* cleanup jsessionid
*
* @param url
* @return
*/
public static final String cleanupUrl(final String url) { if (url == null) {
return null;
} final int jsessionPosition = url.indexOf(";jsessionid");
if (jsessionPosition == -1) {
return url;
} final int questionMarkPosition = url.indexOf("?");
if (questionMarkPosition < jsessionPosition) {
return url.substring(0, url.indexOf(";jsessionid"));
}
return url.substring(0, jsessionPosition)+ url.substring(questionMarkPosition); }
}
cas的url中去掉jsessionid的更多相关文章
-
url中的jsessionid解释
(1) 这是一个保险措施 因为Session默认是需要Cookie支持的 但有些客户浏览器是关闭Cookie的 这个时候就需要在URL中指定服务器上的session标识,也就是5F4771183629 ...
-
地址栏url中去掉所有参数
1.地址栏url中去掉所有参数,这个是纯前端解决,很多时候页面跳转时候会选择在url后面带参数过去,(使用?&),方便传也方便取,但是我们要做的是不要让页面的一些请求参数暴露在外面 正常项目工 ...
-
Apache Shiro去掉URL中的JSESSIONID
如果你的shiro版本在1.3.2版本以上这个BUG已经解决只需要在配置文件如下配置中添加红色部分 <!-- 会话管理器 --> <bean id="sessionMana ...
-
Shiro去掉URL中的JSESSIONID的解决方案
shiro版本在1.3.2版本以上这个BUG已经解决,只需要在配置文件如下配置中添加红色部分即可 <!-- 会话管理器 --> <bean id="sessionManag ...
-
[转] Tomcat 禁用URL中的JSESSIONID
[From] http://*.com/questions/962729/is-it-possible-to-disable-jsessionid-in-tomcat-serv ...
-
magento的url中 去掉多余的目录层级
有时我们需要仅仅显示一层目录的URL路径.而不要出现多个路径的现实,我们可以用以下方法修改: Edit /app/code/core/Mage/Catalog/Model/Url.php 找到632 ...
-
url中去掉index.php,方便redirect()
01 配置文件 return Array( 'URL_MODEL' => '2',); 02 index.php入口文件下面加入文件 .htaccess -->使用editplus--&g ...
-
url中jsessionid的理解
(1) 这是一个保险措施 因为Session默认是需要Cookie支持的 但有些客户浏览器是关闭Cookie的 这个时候就需要在URL中指定服务器上的session标识,也就是5F4771183629 ...
-
discuz 取消门户首页url中的portal.php
这几天准备用discuz搭建一个素食网站,一切就绪之后,访问discuz的门户时总是带着portal.php,可能是职业毛病,在url中总是带着,感觉太碍眼了,并且discuz就是搜索引擎收录一直抵制 ...
随机推荐
-
百度地图 api
首先在百度开发者中心申请ak 在页面head中引用必要的css样式和js脚本 <script type="text/javascript" src="http:// ...
-
jquery.qrcode和jqprint的联合使用,实现html生成二维码并打印(中文也ok)
在公司的生产现场中,常常会在一些部品或设备上贴上二维码,用于扫描录入数据,免去手动输入的麻烦. 以前曾经做过winform的程序,生成二维码,并打印出来,使用的是zxing的类库, 但是如果二维码是附 ...
-
新手上路Tomcat 7.x和JDK的配置
前言:这段时间又复习了JAVA以前做东西总是在IDE里面好多基础的东西都不知道,这次买了本书让自己重新认识下JAVA! 说明:以前装JDK时,我是和Mars老师学的那种开发JAVA应用程序进行配置的环 ...
-
java10 - 泛型与枚举
java10泛型与枚举 泛型和枚举都是JDK1.5版本之后加入的新特性,泛型将程序代码的类型检查提前到了编译期间进行,枚举类型增强了程序代码的健壮性. 1.泛型类 class VariableType ...
-
使用PowerDesigner 15进行逆向工程生成数据库图表时,列的注释问题
上一章讲了对数据库进行逆向工程生成图表操作,可能会遇到无法生成注释的问题: 一.解决PowerDesigner逆向工程没有列注释 1.打开PowerDesigner 15,选择菜单:File→Reve ...
-
MVC ScriptBundle自定义排序。
今天发现MVC的ScriptBundle @Scripts.Render()后是按照我也不知道顺序显示在页面上的,后果就是jquery.min.js被排在了后面(反正我下面那堆默认jquery.min ...
-
Saiku多用户使用时数据同步刷新(十七)
Saiku多用户使用时数据同步刷新 这里我们需要了解一下关于saiku的刷新主要有两种数据需要刷新: >1 刷新数据库的表中的数据,得到最新的表数据进行展示. >2 刷新cube信息,得到 ...
-
mysql的一些操作命令
1.查看mysql数据库 SHOW DATABASES;(;号一定要加) 2.创建root用户密码 mysqladmin -u root password "new_password&quo ...
-
Unity Blog 学习
The Profiler window https://unity3d.com/cn/learn/tutorials/temas/performance-optimization/profiler-w ...
-
What is the difference between WinRT, UWP and WPF?
在学习UWP的过程中确实有这个迷惑,在此分享一下. UWP (Universal Windows platform), Metro and WinRT are all result of Micros ...