Figures 4??“6
and 4??“7 show the results. Listing 4.7 shows the complete web.xml file used to deploy
the servlet.
In a real application, make sure that you redirect users when they access the servlet
or JSP page that contains the form that collects the data. Once users submit sensitive
data to an ordinary non-SSL URL, it is too late to redirect the request: Attackers
with access to the network traffic could have already obtained the data.
Chapter 4 ?– Programmatic Security 198
Listing 4.6 SecurityInfo.java
package coreservlets;
import java.io.*;
import javax.servlet.*;
import javax.servlet.http.*;
import java.security.cert.*; // For X509Certificate
/** Servlet that prints information on SSL requests. Non-SSL
* requests get redirected to SSL.
*/
public class SecurityInfo extends HttpServlet {
public void doGet(HttpServletRequest request,
HttpServletResponse response)
throws ServletException, IOException {
// Redirect non-SSL requests to the SSL equivalent.
if (request.getScheme().equalsIgnoreCase("http")) {
String origURL = request.getRequestURL().toString();
String newURL = httpsURL(origURL);
String formData = request.getQueryString();
if (formData != null) {
newURL = newURL + "?" + formData;
}
response.sendRedirect(newURL);
} else {
String currentURL = request.getRequestURL().toString();
String formData = request.getQueryString();
PrintWriter out = response.getWriter();
String docType =
"
Pages:
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248