Z
zhanggok
Unregistered / Unconfirmed
GUEST, unregistred user!
package coreservlets;
import java.io.*;
import javax.servlet.*;
import javax.servlet.http.*;
import java.util.Properties;
import sun.misc.BASE64Decoder;
/** Example of password-protected pages handled directly
* by servlets.
* <P>
* Taken from Core Servlets and JavaServer Pages
* from Prentice Hall and Sun Microsystems Press,
* http://www.coreservlets.com/.
* &copy;
2000 Marty Hall;
may be freely used or adapted.
*/
public class ProtectedPage extends HttpServlet {
private Properties passwords;
private String passwordFile;
/** Read the password file from the location specified
* by the passwordFile initialization parameter.
*/
public void init(ServletConfig config)
throws ServletException {
super.init(config);
try {
passwordFile = config.getInitParameter("passwordFile");
passwords = new Properties();
passwords.load(new FileInputStream(passwordFile));
} catch(IOException ioe) {}
}
public voiddo
Get(HttpServletRequest request,
HttpServletResponse response)
throws ServletException, IOException {
response.setContentType("text/html");
PrintWriter out = response.getWriter();
String authorization = request.getHeader("Authorization");
if (authorization == null) {
askForPassword(response);
} else
{
String userInfo = authorization.substring(6).trim();
BASE64Decoder decoder = new BASE64Decoder();
String nameAndPassword =
new String(decoder.decodeBuffer(userInfo));
int index = nameAndPassword.indexOf(":");
String user = nameAndPassword.substring(0, index);
String password = nameAndPassword.substring(index+1);
String realPassword = passwords.getProperty(user);
if ((realPassword != null) &&
(realPassword.equals(password))) {
String title = "Welcome to the Protected Page";
out.println(ServletUtilities.headWithTitle(title) +
"<BODY BGCOLOR=/"#FDF5E6/">/n" +
"<H1 ALIGN=CENTER>" + title + "</H1>/n" +
"Congratulations. You have accessed a/n" +userInfo+nameAndPassword.toString()+
"highly proprietary companydo
cument./n" +
"Shred or eat all hardcopies before/n" +
"going to bed tonight./n" +
"</BODY></HTML>");
} else
{
askForPassword(response);
}
}
}
// If no Authorization header was supplied in the request.
private void askForPassword(HttpServletResponse response) {
response.setStatus(response.SC_UNAUTHORIZED);
// Ie 401
response.setHeader("WWW-Authen
ticate",
"BASIC realm=/"privileged-few/"");
}
/** Handle GET and POST identically. */
public voiddo
Post(HttpServletRequest request,
HttpServletResponse response)
throws ServletException, IOException {
do
Get(request, response);
}
}
下面是passwords.properties的内容
#Passwords
#Thu Jan 15 14:42:50 CST 2004
bb=bbb
nathan=nathanpw
marty=martypw
lindsay=lindsaypw
下面是web.xml的内容
<servlet>
<servlet-name>
ProtectedPage
</servlet-name>
<servlet-class>
coreservlets.ProtectedPage
</servlet-class>
<init-param>
<param-name>
passwordFile
</param-name>
<param-value>
D:/Apache Tomcat 4.0/webapps/myapp/WEB-INF/classes/passwords.properties
</param-value>
</init-param>
</servlet>
当访问上面的servlet时会弹出一个登陆对话框要求输入用户名和密码.书中说是当访问上面的servle检查是否存在Authorization头如果存在则跳过"basic"对剩余的base64进行解码后生成username
assword的字符串.我把字符串显示出来后发现YmI6Ym是未解码前的,bb:bbb是解码后的bb:bbb正好是passwords.properties文件中的内容,这时我就不明白Authorization头是如何和passwords.properties文件相关联的在初始化中只是读取passwords.properties文件,并且输入nathan和nathanpw也可以这就证明Authorization头遍历了passwords.properties这让我更不能理解.response.setStatus(response.SC_UNAUTHORIZED)是不是如果输入错误应弹出一个对话框,但并没有弹出是不是因为浏览器的不同或版本的原因书中用的是netscape .请高手指典.
import java.io.*;
import javax.servlet.*;
import javax.servlet.http.*;
import java.util.Properties;
import sun.misc.BASE64Decoder;
/** Example of password-protected pages handled directly
* by servlets.
* <P>
* Taken from Core Servlets and JavaServer Pages
* from Prentice Hall and Sun Microsystems Press,
* http://www.coreservlets.com/.
* &copy;
2000 Marty Hall;
may be freely used or adapted.
*/
public class ProtectedPage extends HttpServlet {
private Properties passwords;
private String passwordFile;
/** Read the password file from the location specified
* by the passwordFile initialization parameter.
*/
public void init(ServletConfig config)
throws ServletException {
super.init(config);
try {
passwordFile = config.getInitParameter("passwordFile");
passwords = new Properties();
passwords.load(new FileInputStream(passwordFile));
} catch(IOException ioe) {}
}
public voiddo
Get(HttpServletRequest request,
HttpServletResponse response)
throws ServletException, IOException {
response.setContentType("text/html");
PrintWriter out = response.getWriter();
String authorization = request.getHeader("Authorization");
if (authorization == null) {
askForPassword(response);
} else
{
String userInfo = authorization.substring(6).trim();
BASE64Decoder decoder = new BASE64Decoder();
String nameAndPassword =
new String(decoder.decodeBuffer(userInfo));
int index = nameAndPassword.indexOf(":");
String user = nameAndPassword.substring(0, index);
String password = nameAndPassword.substring(index+1);
String realPassword = passwords.getProperty(user);
if ((realPassword != null) &&
(realPassword.equals(password))) {
String title = "Welcome to the Protected Page";
out.println(ServletUtilities.headWithTitle(title) +
"<BODY BGCOLOR=/"#FDF5E6/">/n" +
"<H1 ALIGN=CENTER>" + title + "</H1>/n" +
"Congratulations. You have accessed a/n" +userInfo+nameAndPassword.toString()+
"highly proprietary companydo
cument./n" +
"Shred or eat all hardcopies before/n" +
"going to bed tonight./n" +
"</BODY></HTML>");
} else
{
askForPassword(response);
}
}
}
// If no Authorization header was supplied in the request.
private void askForPassword(HttpServletResponse response) {
response.setStatus(response.SC_UNAUTHORIZED);
// Ie 401
response.setHeader("WWW-Authen
ticate",
"BASIC realm=/"privileged-few/"");
}
/** Handle GET and POST identically. */
public voiddo
Post(HttpServletRequest request,
HttpServletResponse response)
throws ServletException, IOException {
do
Get(request, response);
}
}
下面是passwords.properties的内容
#Passwords
#Thu Jan 15 14:42:50 CST 2004
bb=bbb
nathan=nathanpw
marty=martypw
lindsay=lindsaypw
下面是web.xml的内容
<servlet>
<servlet-name>
ProtectedPage
</servlet-name>
<servlet-class>
coreservlets.ProtectedPage
</servlet-class>
<init-param>
<param-name>
passwordFile
</param-name>
<param-value>
D:/Apache Tomcat 4.0/webapps/myapp/WEB-INF/classes/passwords.properties
</param-value>
</init-param>
</servlet>
当访问上面的servlet时会弹出一个登陆对话框要求输入用户名和密码.书中说是当访问上面的servle检查是否存在Authorization头如果存在则跳过"basic"对剩余的base64进行解码后生成username
assword的字符串.我把字符串显示出来后发现YmI6Ym是未解码前的,bb:bbb是解码后的bb:bbb正好是passwords.properties文件中的内容,这时我就不明白Authorization头是如何和passwords.properties文件相关联的在初始化中只是读取passwords.properties文件,并且输入nathan和nathanpw也可以这就证明Authorization头遍历了passwords.properties这让我更不能理解.response.setStatus(response.SC_UNAUTHORIZED)是不是如果输入错误应弹出一个对话框,但并没有弹出是不是因为浏览器的不同或版本的原因书中用的是netscape .请高手指典.