Introduction to Java code audit and Java Web

Posted by landonmkelsey on Fri, 21 Jan 2022 14:57:54 +0100

0. Supplementary knowledge

  • After the back-end code is modified, the project will not take effect until the project is restarted

  • Simple understanding of jsp: you can parse Java code in html pages.

  • Dao layer: code that can directly interact with the database, that is, add, delete, modify and query.

      of course, dao The layer name is not necessarily called“ dao",

1.Servlet Technology

1.1 Java Web overview

JavaWeb The application consists of a set of Servlet, HTML Pages, classes, and other resources that can be bound.

It can be provided by various suppliers“ Servlet Run in container.

Java Web applications can include the following contents:

	Servlet
	
	JSP
	
	Practical Class
	
	Static documents such as HTML,Pictures and other descriptions Web Application information(web.xml)

1.2 Servlet and Servlet container

1.2.1 Servlet container concept
  • The Servlet container provides a runtime environment for Java Web applications,
    It is responsible for managing the lifecycle of servlets and JSP S and managing their shared data.
  • Servlet container is also called Java Web application container, or Servlet/JSP container.
  • Currently, the most popular Servlet container software includes:
    Tomcat
    A built-in Servlet container is also provided in J2EE servers such as Weblogic
1.2.2 introduction to Tomcat
Tomcat Is a free open source Servlet Container, it is Apache A top-level project of the software foundation,

from Apache,Sun Developed with other companies and individuals.

With Sun's participation and support, the latest Servlet and JSP specifications can always be reflected in Tomcat.

(1)Tomcat directory structure

1.2.3 some vulnerabilities of Tomcat

Note that,

quite a lot tomcat There are some historical vulnerabilities or weak passwords in the services, which can be solved by modifying the default port number and password.

  • Modify the default port number of Tomcat:

    Open the server. Config directory XML file

  • tomcat management program

    Edit Tomcat users in the conf directory XML file, add the manager role, and set the user name and password.

1.2.3. What if the supplementary port is occupied
When we start some middleware (such as tomcat)There are two methods to prompt when the port is occupied.

First, modify tomcat To modify the configuration file Tomcat The default port of is another unoccupied port.

Second, use the command line to see which processes occupy these ports, and then kill them.

1.2.4 process of servlet container responding to customer requests

1.2.5 mapping relationship:

Mapping details:

  • The same Servlet can be mapped to multiple URL s, that is, the setting value of child elements of multiple elements can be the registered name of the same Servlet.
  • Wildcards can also be used in the URL to which the Servlet is mapped, but there can only be two fixed formats: one format is ". \ extension, and the other format starts with a forward slash (/) and ends with" / * ".
1.2.6 some important methods in HttpServletRequest

Get request parameters:

getParameter method

getParameterValues method

getParameterNames method

getParameterMap method

Using this method to obtain the front-end parameters without filtering, there will be a series of injection class vulnerabilities

Methods related to requesting domain properties:

setAttribute method			
 					
getAttribute method 

removeAttribute method	
			 					
getAttributeNames method

1.3 forwarding and redirection

  • forward:
    After the client sends the request to the server, the server will send a status code and the re requested address to the client, and then the client requests again according to the address returned by the server.

  • Redirect:
    After the client sends the request to the server, the internal resource (another page) is invoked after the server is processed, and the result is displayed on the client side.

1.4. Configure the access mapping of paths and classes

The purpose is to request a path, Java Where did the backend call Java Code to process
1.4.1 two methods, the first:
	Through traditional web.xml take servlet Class is bound to the access path
		
	(Higher version servlet Annotation configuration is supported. This method is no longer recommended)

<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns="http://xmlns.jcp.org/xml/ns/javaee"
         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee
http://xmlns.jcp.org/xml/ns/javaee/web-app_4_0.xsd" version="4.0">
         
    <servlet>
		<!-- Class name -->
		<servlet-name>ServletDemo01</servlet-name>
		<!-- Package in which --> 
        <servlet-class>com.xbb.ServletDemo01</servlet-class>
    </servlet>
    
    <servlet-mapping>
		<servlet-name>ServletDemo01</servlet-name> 
        <!-- Web address visited --> 
        <url-pattern>/ServletDemo01</url-pattern>
    </servlet-mapping>
    
</web-app>
1.4.2 method 2:
In later versions servlet Technology can be annotated	@WebServlet to configure,
	
The current servlet Class and value Match the paths of;

@WebServlet(name = "ServletDemo01", value = "/ServletDemo01")

In this way,
	
We visit directly“	url/ServletDemo01 ",That is, which back-end page can write the above annotation information and which page can be parsed.

,

Note that if these two methods appear at the same time, after testing, the effective method is method 1. 

Some, for example  index.do  For this kind of page, you can find the specific code for the back-end processing of the page by directly searching the place where the annotation is found.

In addition, this annotation keyword includes not only @ WebServlet, but also @ RequestMapping, but the functions are the same.

2. Introduction to MVC

  • MVC is the abbreviation of model view controller, that is, model view controller. Is a design pattern, which divides the application into three core modules: model, view and controller, which deal with their own tasks.
  • The model is the main part of the application. The model represents business data and business logic. A model can provide data for multiple views. Because the code applied to the model can be reused by multiple views only once, the reusability of the code is improved. (understood as specific back-end processing function modules, such as new users)
  • The view is the interface that the user sees and interacts with. The view displays relevant data to the user, accepts the user's input, and does not carry out any actual business processing. (understanding is the front end)
  • The controller accepts the user's input and calls the model and view to complete the user's requirements. The controller receives the request and decides which model component to call to process the request, and then decides which view to call to display the data returned by model processing (understanding is which requests to call which "models" to process)

3. Introduction to Filter

  • The basic function of Filter is to intercept the process of Servlet container calling Servlet, so as to realize some special functions before and after the response processing of Servlet.
  • Three interface classes are defined in the Servlet API for developers to write Filter programs:
    Filter, FilterChain, FilterConfig
  • Filter program is a Java class that implements the filter interface. Similar to Servlet program, it is called and executed by Servlet container
  • The Filter program needs to be on the web Register in the XML file and set the resources it can intercept: the Filter program can intercept JSP and servlet, but not static image files and static html files

Topics: Java Apache Tomcat

Hot Topics

©2024 Programmer Think