JAVA-Servlet&Filter&Listener
Servlet
Servlet路由:
1
2
3
4
5
6
7
8
9
10
| //web.xml
<servlet>
<servlet-name>index</servlet-name>
<servlet-class>com.example.demo.IndexServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>index</servlet-name>
<url-pattern>/index</url-pattern>
</servlet-mapping>
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
|
package com.example.demo;
import jakarta.servlet.ServletConfig;
import jakarta.servlet.ServletException;
import jakarta.servlet.ServletRequest;
import jakarta.servlet.ServletResponse;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.io.PrintWriter;
public class IndexServlet extends HelloServlet{
@Override
public void init(ServletConfig config) throws ServletException {
System.out.println("IndexServlet init");
}
@Override
protected void service(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
System.out.println("HttpServletRequest service");
}
@Override
public void service(ServletRequest req, ServletResponse res) throws ServletException, IOException {
System.out.println("IndexServlet service");
}
@Override
public void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException {
String name = request.getParameter("name");
PrintWriter out = response.getWriter();
out.println("<h1>Hello "+name+"</h1>");
System.out.println(name + "----------doGET");
}
@Override
public void destroy() {
System.out.println("IndexServlet destroy");
}
}
|
SQL预编译
预编译(Prepared Statement) 是指在执行 SQL 查询之前,将 SQL 语句的结构(查询计划)提前编译和优化,并将其存储在数据库服务器的内存中。当应用程序多次执行相同的 SQL 语句(只改变其中的参数)时,数据库服务器可以直接重用预编译的查询计划,而不必每次都重新解析和编译 SQL 语句。
预编译防止 SQL 注入攻击。因为在预编译中,SQL 语句与参数是分开的,用户输入的参数不会直接嵌入到 SQL 语句中,而是作为独立的变量传递,这样可以有效地防止恶意用户构造恶意的 SQL 注入。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
| import java.sql.Connection;
import java.sql.DriverManager;
import java.sql.PreparedStatement;
import java.sql.ResultSet;
public class PreparedStatementExample {
public static void main(String[] args) {
String url = "jdbc:mysql://localhost:3306/mydatabase";
String username = "root";
String password = "password";
try (Connection conn = DriverManager.getConnection(url, username, password)) {
String sql = "SELECT * FROM users WHERE username = ? AND password = ?";
PreparedStatement pstmt = conn.prepareStatement(sql);
pstmt.setString(1, "admin");
pstmt.setString(2, "admin123");
ResultSet rs = pstmt.executeQuery();
while (rs.next()) {
System.out.println("User ID: " + rs.getInt("id"));
System.out.println("Username: " + rs.getString("username"));
}
} catch (Exception e) {
e.printStackTrace();
}
}
}
|
Filter过滤器
Filter 是一种用来对请求和响应进行预处理和后处理的组件。Filter 过滤器通常用于实现请求/响应的拦截功能,可以在请求到达 Servlet 之前或响应返回客户端之前执行特定的操作。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
|
@WebFilter("/Test")
public class XssFilter implements Filter {
@Override
public void init(FilterConfig filterConfig) throws ServletException {
System.out.println("XssFilter init");
}
@Override
public void destroy() {
System.out.println("XssFilter destroy");
}
@Override
public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
System.out.println("XssFilter doFilter");
HttpServletRequest request = (HttpServletRequest) servletRequest;
String code = request.getParameter("code");
if (!code.contains("<script>")) {
filterChain.doFilter(servletRequest, servletResponse);
}else {
System.out.println("Xss!!!!!!!!!!!!");
}
}
}
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
|
@WebFilter("/admin")
public class AdminFilter implements Filter {
@Override
public void init(FilterConfig filterConfig) throws ServletException {
System.out.println("AdminFilter init");
}
@Override
public void destroy() {
System.out.println("AdminFilter destroy");
}
@Override
public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
System.out.println("AdminFilter doFilter");
HttpServletRequest request = (HttpServletRequest) servletRequest;
Cookie[] cookies = request.getCookies();
for (Cookie cookie : cookies) {
String cookieName = cookie.getName();
String cookieValue = cookie.getValue();
System.out.println("Cookie Name: " + cookieName);
System.out.println("Cookie Value: " + cookieValue);
if(cookieName.contains("user") && cookieValue.contains("admin")) {
filterChain.doFilter(request, servletResponse);
}else {
System.out.println("非管理员访问");
}
}
}
}
|
Filter简单内存🐎演示
哥斯拉生成1.jsp并连接
Java-Web流程:
常规后门在Servlet(可以在本地目录中看到文件,清理后门时只需要删除有即可),内存🐎写到Filter或Listener,所以清理后门时,内存🐎不易被发现
Listener监听器
监听器Listener按照监听的事件可以分成3大类
- 1.监听对象创建和销毁的监听器
- 2.监听对象中属性变更的监听器
- 3.监听 HttpSession 中的对象状态改变的监听器
监听对象创建和销毁的监听器
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
|
@WebListener
public class ListenSession implements HttpSessionListener {
@Override
public void sessionCreated(HttpSessionEvent se) {
System.out.println("Listener:Session created");
}
@Override
public void sessionDestroyed(HttpSessionEvent se) {
System.out.println("Listener:Session destroyed");
}
}
|
