Created
April 6, 2011 02:41
-
-
Save seyan/905032 to your computer and use it in GitHub Desktop.
セッション固定化対策(ログイン後にセッションIDを更新)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import java.io.IOException; | |
import javax.servlet.ServletException; | |
import javax.servlet.http.HttpServlet; | |
import javax.servlet.http.HttpServletRequest; | |
import javax.servlet.http.HttpServletResponse; | |
import javax.servlet.http.HttpSession; | |
public class SesFixaGuardFirstServlet extends HttpServlet { | |
private static final long serialVersionUID = 1L; | |
public SesFixaGuardFirstServlet() { | |
super(); | |
} | |
protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { | |
//文字化け対策 | |
request.setCharacterEncoding("utf-8"); | |
response.setContentType("text/html; charset=utf-8"); | |
//新しいセッション作成 | |
HttpSession session = request.getSession(); | |
//カートに入れた商品をセッションで管理 | |
session.setAttribute("productName", request.getParameter("productName")); | |
request.getRequestDispatcher("SesFixaPage1.jsp").forward(request, response); | |
} | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import java.io.IOException; | |
import javax.servlet.ServletException; | |
import javax.servlet.http.HttpServlet; | |
import javax.servlet.http.HttpServletRequest; | |
import javax.servlet.http.HttpServletResponse; | |
import javax.servlet.http.HttpSession; | |
public class SesFixaGuardSecondServlet extends HttpServlet { | |
private static final long serialVersionUID = 1L; | |
public SesFixaGuardSecondServlet() { | |
super(); | |
} | |
protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { | |
//文字化け対策 | |
request.setCharacterEncoding("utf-8"); | |
response.setContentType("text/html; charset=utf-8"); | |
HttpSession session = request.getSession(); | |
//カートに入れた商品をセッションから取り出す。 | |
String productName = (String) session.getAttribute("productName"); | |
//★ログインした時に古いセッションIDを破棄 | |
request.getSession(true).invalidate(); | |
//★ログインした時に新しいセッションを作成 | |
HttpSession newSession = request.getSession(); | |
newSession.setAttribute("productName", productName); | |
newSession.setAttribute("id", request.getParameter("id")); | |
request.getRequestDispatcher("SesFixaPage2.jsp").forward(request, response); | |
} | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import static org.junit.Assert.assertFalse; | |
import net.sourceforge.jwebunit.junit.WebTester; | |
import net.sourceforge.jwebunit.util.TestContext; | |
import org.junit.Before; | |
import org.junit.BeforeClass; | |
import org.junit.Test; | |
public class SesFixaGuardTest{ | |
private TestContext context; | |
private static WebTester webTester; | |
//最初の1回だけ呼ばれる | |
@BeforeClass | |
public static void prepareTest() throws Exception{ | |
webTester = new WebTester(); | |
} | |
//各テストメソッドの前に呼ばれる | |
@Before | |
public void setup() throws Exception{ | |
context = webTester.getTestContext(); | |
//ベースURLの指定 | |
context.setBaseUrl("http://localhost:8080/Wasbook"); | |
} | |
@Test | |
public void connectTest() throws Exception{ | |
//接続する相対パスを指定 | |
webTester.beginAt("/SesFixaIndex.html"); | |
//引数で指定したテキスト要素を含むことをアサート | |
webTester.assertTextPresent("商品をカートに入れる(ログイン前)"); | |
} | |
@Test | |
public void index2Page1Test() throws Exception{ | |
// index表示 | |
webTester.beginAt("/SesFixaIndex.html"); | |
webTester.setTextField("productName", "おいしいご飯"); | |
webTester.submit(); | |
// Page1 | |
webTester.assertTitleEquals("商品選択画面"); | |
webTester.assertTextPresent("カートに入った商品:おいしいご飯"); | |
} | |
@Test | |
public void page12Page2Test()throws Exception{ | |
// index表示 | |
webTester.beginAt("/SesFixaIndex.html"); | |
webTester.setTextField("productName", "おいしいご飯"); | |
webTester.submit(); | |
// Page1 | |
webTester.assertTextPresent("カートに入った商品:おいしいご飯"); | |
//sessionIDを取得(まずheaderからsetCookieの行を抜き出す。さらに必要な部分だけ抜き出す。) | |
String setCookieStr = webTester.getAllHeaders().get("Set-Cookie"); | |
String sessionId = getJSESSIONID(setCookieStr); | |
webTester.setTextField("id", "試験テスト"); | |
webTester.submit(); | |
//Page2 | |
webTester.assertTitleEquals("ログインしました画面"); | |
webTester.assertTextPresent("ユーザID:試験テスト"); | |
webTester.assertTextPresent("カートに入った商品:おいしいご飯"); | |
//sessionIDが更新されているか確認 | |
setCookieStr = webTester.getAllHeaders().get("Set-Cookie"); | |
assertFalse(sessionId == setCookieStr); | |
} | |
/** | |
* HTTPヘッダのsetCookieフィールドから、JSESSIONID部分の記述を抜き出す。 | |
* @param setCookieStr | |
* @return | |
*/ | |
private String getJSESSIONID(String setCookieStr){ | |
String jsessionId = setCookieStr.substring( setCookieStr.lastIndexOf("JSESSIONID="), setCookieStr.lastIndexOf(";") ); | |
return jsessionId; | |
} | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<html> | |
<head> | |
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/> | |
</head> | |
<body> | |
商品をカートに入れる(ログイン前) | |
<form action="SesFixaGuardFirstServlet" method="POST"> | |
商品名: <input name="productName" size="5"> | |
<input type="submit" value="ログイン画面に進む"> | |
</form> | |
</body> | |
</html> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<%@ page language="java" contentType="text/html; charset=UTF-8" | |
pageEncoding="UTF-8"%> | |
<%@ page import="jp.co.test.wasbook.nakayama.sessionFixation.Util" %> | |
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> | |
<html> | |
<head> | |
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/> | |
<title>商品選択画面</title> | |
</head> | |
<body> | |
カートに入った商品:<%= Util.escapeHTML( (String)session.getAttribute("productName") ) %><br /> | |
<!-- 一応確認用 --> | |
ログイン前セッションID:<%= Util.escapeHTML(session.getId()) %> <br /> | |
<form action="SesFixaGuardSecondServlet" method="POST"> | |
ユーザID : <input name="id" size="5"> | |
<input type="submit" value="ログイン"> | |
</form> | |
</body> | |
</html> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<%@ page language="java" contentType="text/html; charset=UTF-8" | |
pageEncoding="UTF-8"%> | |
<%@ page import="jp.co.test.wasbook.nakayama.sessionFixation.Util" %> | |
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> | |
<html> | |
<head> | |
<title>ログインしました画面</title> | |
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/> | |
</head> | |
<body> | |
ログインしました! | |
ユーザID:<%= Util.escapeHTML( (String)session.getAttribute("id") ) %> <br /> | |
カートに入った商品:<%= Util.escapeHTML( (String)session.getAttribute("productName") ) %><br /> | |
<!-- 一応確認用 --> | |
ログイン後のセッションID:<%= Util.escapeHTML(session.getId()) %> <br /> | |
</body> | |
</html> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
public class Util { | |
/** | |
* 引数で与えられた文字列にHTMLエスケープを行った結果文字列を返す | |
* @param str | |
* @return | |
*/ | |
public static String escapeHTML(String str){ | |
// 文字列の結合を繰り返すため、StringBuffer(可変の文字列を扱う)を使用 | |
StringBuffer escapeStr = new StringBuffer(); | |
for(int i=0; i < str.length(); i++){ | |
char c = str.charAt(i); | |
if(c == '<'){ | |
escapeStr.append("<"); | |
} | |
else if(c == '>'){ | |
escapeStr.append(">"); | |
} | |
else if(c == '&'){ | |
escapeStr.append("&"); | |
} | |
else if(c == '"'){ | |
escapeStr.append("""); | |
} | |
else if(c == '\''){ | |
escapeStr.append("'"); | |
} | |
else{ | |
escapeStr.append(c); | |
} | |
} | |
return escapeStr.toString(); | |
} | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment