基于Struts+Spring+JDBC架构的课程设计实训教学示例项目——《网上银行账户管理系统》——分离Servlet类中的数据验证逻辑与业务调度逻辑.doc
基于Struts+Spring+JDBC架构的课程设计实训教学示例项目网上银行账户管理系统分离Servlet类中的数据验证逻辑与业务调度逻辑1.1.1 分离前台用户信息/帐户信息管理的Servlet类中的数据验证逻辑与业务调度逻辑1、添加一个针对所有的Servlet类中的方法验证的过滤器组件基类(1)类名称为CheckAllWebFormBaseFilter、包名称为、实现接口(2)编程该CheckAllWebFormBaseFilter类以提供共性的功能实现package com.px1987.webbank.filter;import java.io.IOException;import javax.servlet.Filter;import javax.servlet.FilterChain;import javax.servlet.FilterConfig;import javax.servlet.RequestDispatcher;letException;import javax.servlet.ServletRequest;import javax.servlet.ServletResponse;import javax.servlet. . ServletRequest;import javax.servlet. . Session;import com.px1987.webbank.config.TargetPageNameConfig;/该Filter组件是为J2EE Web 提供的基类Filterpublic class CheckAllWebFormBaseFilter implements Filter protected String checkAllWebFormBaseFilter_errorInfoTargetPage=null;RequestDispatcher oneRequestDispatcher=null; Session session=null;String verifyCodeInSession=null;public CheckAllWebFormBaseFilter() public void destroy() public void doFilter(ServletRequest request, ServletResponse response,FilterChain filterChain) throws IOException, ServletException request.setCharacterEncoding("GBK");session=( ServletRequest)request).getSession();verifyCodeInSession=(String)session.getAttribute("verifyCode");return;public void init(FilterConfig arg0) throws ServletException checkAllWebFormBaseFilter_errorInfoTargetPage=rty("allWebFormBaseFilter_errorInfoTargetPage");(3)在文件中定义一个属性项目2、添加一个针对UserInfoManageServlet类中的各个方法验证的过滤器(/ userInfoManageAction.action)(1)类名称为FormRequestTransferCoding、包名称为、继承前面的CheckAllWebFormBaseFilter类(2)编程该FormRequestTransferCoding类 package com.px1987.webbank.filter;import java.io.IOException;import java.util.Date;lterChain;import javax.servlet.FilterConfig;import javax.servlet.RequestDispatcher;import javax.servlet.ServletException;import javax.servlet.ServletRequest;import javax.servlet.ServletResponse;import org.apache mons.validator.GenericValidator;import com.px1987.webbank.config.TargetPageNameConfig;import com.px1987.webbank.exception.WebBankException;import com.px1987.webbank.model.vo.AccountInfoVO;import com.px1987.webbank.util.MD5JavaBean;public class FormRequestTransferCoding extends CheckAllWebFormBaseFilter public FormRequestTransferCoding() super();public void destroy() public void doFilter(ServletRequest request, ServletResponse response,FilterChain filterChain) throws IOException, ServletException super.doFilter(request, response, filterChain);boolean checkResult=true;String action=request.getParameter("action");/*下面是获得请求的类型并相应地跳转到目标处理方法中*if(action.equals("doUserLogin")checkResult=checkDoUserLoginForm(request);else if(action.equals("doGetPassWord")checkResult=checkDoGetPassWordForm(request);else if(action.equals("doGetUserPassWordAndUpdate")checkResult=checkDoGetUserPassWordAndUpdateForm(request);else if(action.equals("doUpdateUserPassWord")checkResult=checkDoUpdateUserPassWordForm(request);else if(action.equals("doAddNewAccountInfo")checkResult=checkDoAddNewAccountInfoForm(request);if(action.equals("doGetOutMoney")checkResult=checkDoGetOutMoneyForm(request);if(action.equals("doTransmitAccount")checkResult=checkDoTransmitAccountForm(request);if(!checkResult)oneRequestDispatcher=request.getRequestDispatcher(checkAllWebFormBaseFilter_errorInfoTargetPage);oneRequestDispatcher.forward(request, response);return;filterChain.doFilter(request, response);public void init(FilterConfig arg0) throws ServletException super.init(arg0);public boolean checkDoAddNewAccountInfoForm(ServletRequest request)/*下面为检查验证码是否正确 *String verifyCodeDigitInputed=request.getParameter("verifyCodeDigit");if(GenericValidator.isBlankOrNull(verifyCodeDigitInputed)request.setAttribute("errorText", "验证码不能为空!请输入本网站所提供的6位验证码!");return false;if(!verifyCodeDigitInputed.equals(verifyCodeInSession)request.setAttribute("errorText","您的验证码不正确,请输入本网站所提供的6位验证码!");return false;String balance=request.getParameter("balance");if(!GenericValidator.isFloat(balance)request.setAttribute("errorText", "存款金额必须为数字!请重新输入您的存款金额!");return false;String accountInfo_ActionType=request.getParameter("accountInfo_ActionType");switch(Integer.parseInt(accountInfo_ActionType)case 1:/开设帐户String idCard=request.getParameter("idCard");if(Float.parseFloat(balance)<1.0f)request.setAttribute("errorText", "开户存款金额必须大于1元人民币!请重新输入您的开户存款金额!");return false;if(GenericValidator.isBlankOrNull(idCard)request.setAttribute("errorText", "您的身份证号输入不能为空!请输入您的有效身份证号!");return false;if(idCard.length()!=18)request.setAttribute("errorText", "有效身份证号应该是18位数字!请输入您的有效身份证号!");return false;break;case 2:/追加存款String accountID=request.getParameter("accountID");if(GenericValidator.isBlankOrNull(accountID) /对于选择框,有缺少的选择项目request.setAttribute("errorText", "请选择您的存款帐号!");return false;break;return true;public boolean checkDoGetOutMoneyForm(ServletRequest request)/*下面为检查验证码是否正确 *String verifyCodeDigitInputed=request.getParameter("verifyCodeDigit");if(GenericValidator.isBlankOrNull(verifyCodeDigitInputed)request.setAttribute("errorText", "验证码不能为空!请输入本网站所提供的6位验证码!");return false;if(!verifyCodeDigitInputed.equals(verifyCodeInSession)request.setAttribute("errorText","您的验证码不正确,请输入本网站所提供的6位验证码!");return false;String idCard=request.getParameter("idCard");if(GenericValidator.isBlankOrNull(idCard)request.setAttribute("errorText", "您的身份证号输入不能为空!请输入您的有效身份证号!");return false;if(idCard.length()!=18)request.setAttribute("errorText", "有效身份证号应该是18位数字!请输入您的有效身份证号!");return false;String accountInfo_ActionType=rameter("accountInfo_ActionType");switch(Integer.parseInt(accountInfo_ActionType)case 1:/取出款额String balance=request.getParameter("balance");if(!GenericValidator.isFloat(balance)request.setAttribute("errorText", "取款金额必须为数字!请重新输入您的取款金额!");return false;break;case 2:/销毁帐户String userPassWord=request.getParameter("userPassWord");if(GenericValidator.isBlankOrNull(userPassWord)request.setAttribute("errorText", "您的帐户密码不能为空!请输入您的有效帐户密码!");return false;break;return true;public boolean checkDoTransmitAccountForm(ServletRequest request)/*下面为检查验证码是否正确 *String verifyCodeDigitInputed=request.getParameter("verifyCodeDigit");if(GenericValidator.isBlankOrNull(verifyCodeDigitInputed)request.setAttribute("errorText", "验证码不能为空!请输入本网站所提供的6位验证码!");return false;if(!verifyCodeDigitInputed.equals(verifyCodeInSession)request.setAttribute("errorText","您的验证码不正确,请输入本网站所提供的6位验证码!");return false;String balance=request.getParameter("balance");if(!GenericValidator.isFloat(balance)request.setAttribute("errorText", "取款金额必须为数字!请重新输入您的取款金额!");return false;return true;public boolean checkDoUserLoginForm(ServletRequest request)/*下面为检查验证码是否正确 *String verifyCodeDigitInputed=request.getParameter("verifyCodeDigit");if(GenericValidator.isBlankOrNull(verifyCodeDigitInputed)request.setAttribute("errorText", "验证码不能为空!请输入本网站所提供的6位验证码!");return false;if(!verifyCodeDigitInputed.equals(verifyCodeInSession)request.setAttribute("errorText","您的验证码不正确,请输入本网站所提供的6位验证码!");return false;/* * 下面对用户在登陆表单中的输入项目进行服务器端的验证 */String userName=request.getParameter("userName");String userPassWord=request.getParameter("oneUserPassWordBean.userPassWord");if(GenericValidator.isBlankOrNull(userName)request.setAttribute("errorText", "用户名称不能为空!请输入您的用户名称!");return false;if(GenericValidator.isBlankOrNull(userPassWord)request.setAttribute("errorText", "用户密码名称不能为空!请输入您的用户密码!");return false;if(!GenericValidator.maxLength(userPassWord, 18)request.setAttribute("errorText", "用户密码不能超过18位!");return false;if(!GenericValidator.minLength(userPassWord, 4)request.setAttribute("errorText", "用户密码不能小于4位!");return false;return true;public boolean checkDoGetPassWordForm(ServletRequest request)/*下面为检查验证码是否正确 *String verifyCodeDigitInputed=request.getParameter("verifyCodeDigit");if(GenericValidator.isBlankOrNull(verifyCodeDigitInputed)request.setAttribute("errorText", "验证码不能为空!请输入本网站所提供的6位验证码!");return false;if(!verifyCodeDigitInputed.equals(verifyCodeInSession)request.setAttribute("errorText","您的验证码不正确,请输入本网站所提供的6位验证码!");return false;String passWordAsk=request.getParameter("oneUserPassWordBean.passWordAsk");String passWordAnswer=request.getParameter("oneUserPassWordBean.passWordAnswer");if(GenericValidator.isBlankOrNull(passWordAsk)request.setAttribute("errorText", "找回密码时的回答问题不能为空!");return false;if(GenericValidator.isBlankOrNull(passWordAnswer)request.setAttribute("errorText", "找回密码时的回答问题的答案不能为空!");return false;return true;public boolean checkDoGetUserPassWordAndUpdateForm(ServletRequest request)String userNewPassWord=request.getParameter("oneUserPassWordBean.userNewPassWord");if(GenericValidator.isBlankOrNull(userNewPassWord)request.setAttribute("errorText", "用户新密码名称不能为空!请输入您的用户新密码!");return false;if(!GenericValidator.maxLength(userNewPassWord, 18)request.setAttribute("errorText", "用户新密码不能超过18位!");return false;if(!GenericValidator.minLength(userNewPassWord, 4)request.setAttribute("errorText", "用户新密码不能小于4位!");return false;String confirmPassWord=request.getParameter("oneUserPassWordBean.confirmPassWord");if(!userNewPassWord.equals(confirmPassWord)request.setAttribute("errorText", "确认密码应该与用户新密码保持一致!");return false;return true;public boolean checkDoUpdateUserPassWordForm(ServletRequest request)/*下面为检查验证码是否正确 *String verifyCodeDigitInputed=request.getParameter("verifyCodeDigit");if(GenericValidator.isBlankOrNull(verifyCodeDigitInputed)request.setAttribute("errorText", "验证码不能为空!请输入本网站所提供的6位验证码!");return false;if(!verifyCodeDigitInputed.equals(verifyCodeInSession)request.setAttribute("errorText","您的验证码不正确,请输入本网站所提供的6位验证码!");return false;String userName=request.getParameter("userName");String userPassWord=request.getParameter("oneUserPassWordBean.userPassWord");lankOrNull(userName)request.setAttribute("errorText", "用户名称不能为空!请输入您的用户名称!");return false;if(GenericValidator.isBlankOrNull(userPassWord)request.setAttribute("errorText", "用户密码名称不能为空!请输入您的用户密码!");return false;if(!GenericValidator.maxLength(userPassWord, 18)request.setAttribute("errorText", "用户密码不能超过18位!");return false;if(!GenericValidator.minLength(userPassWord, 4)request.setAttribute("errorText", "用户密码不能小于4位!");return false;String userNewPassWord=request.getParameter("oneUserPassWordBean.userNewPassWord");if(GenericValidator.isBlankOrNull(userNewPassWord)request.setAttribute("errorText", "用户新密码名称不能为空!请输入您的用户新密码!");return false;if(!GenericValidator.maxLength(userNewPassWord, 18)request.setAttribute("errorText", "用户新密码不能超过18位!");return false;if(!GenericValidator.minLength(userNewPassWord, 4)request.setAttribute("errorText", "用户新密码不能小于4位!");return false;String confirmPassWord=request.getParameter("oneUserPassWordBean.confirmPassWord");if(!userNewPassWord.equals(confirmPassWord)request.setAttribute("errorText", "确认密码应该与用户新密码保持一致!");return false;return true;(3)FormRequestTransferCoding过滤器组件<filter> <filter-name>formRequestTransferCoding</filter-name><filter-class></filter-class> </filter> <filter-mapping> <filter-name>formRequestTransferCoding</filter-name> <url-pattern>/userInfoManageAction.action</url-pattern></filter-mapping>(4)进行登陆系统等方面的功能以测试该FormRequestTransferCoding过滤器组件类的效果-测试没有正确地输入验证码的错误过滤SQL语句的特殊的字符串下面是一般的JDBC访问代码Statement stmt = conn.createStatement(); String checkUser = "select * from login where username = '"+ userName +"'and userpassword = '"+ userPassword +"'" ResultSet rs = stmt.executeQuery(checkUser); if(rs.next() response.sendRedirect("SuccessLogin.jsp"); else response.sendRedirect("FailureLogin.jsp");但如果数据库里存在一个名叫“yang”的用户,那么在不知道密码的情况下至少有下面几种方法可以登录:用户名:yang密码:' or 'a'='a用户名:yang密码:' or 1=1/*用户名:yang' or 1=1/*密码:(任意)因此,应该对所接收到的用户名称和密码的字符串进行特殊符号的过滤以避免出现“后门”。if(userName.equals("") userPswd.equals("") throw new UserException("用户名或密码不能空。"); if(userName.indexOf("'") != -1 userName.indexOf(""") != -1 userName.indexOf(",") != -1 userName.indexOf("") != -1) throw new UserException("用户名不能包括 ' " , 等非法字符。"); if(userPswd.indexOf("'") != -1 userPswd.indexOf(""") != -1 userPswd.indexOf("*") != -1 userPswd.indexOf("") != -1) throw new UserException("密码不能包括 ' " * 等非法字符。"); if(userName.startsWith("") userPswd.startsWith("") throw new UserException("用户名或密码中不能用空格。");3、添加一个针对UserRegisterAndUpdateServlet类中的各个方法验证的过滤器(/ registerAndUpdateAction.action)(1)类名称为CheckUserRegisterAndUpdateFilter、包名称为、继承前面的CheckAllWebFormBaseFilter类(2)编程该CheckUserRegisterAndUpdateFilter类 注意:在该CheckUserRegisterAndUpdateFilter类中不能采用常规的获得表单数据的方式获得表单数据,因为其表单中有文件上传的功能实现。另外,由于在在Filter中直接应用了DiskFileItemFactory获得表单的请求参数,因此在Servlet组件中获得由CheckUserRegisterAndUpdateFilter转发来的表单的参数。package com.px1987.webbank.filter;import java.io.IOException;import java.util.HashMap;import java.util.List;import java.util.Map;import javax.servlet.FilterChain;import javax.servlet.FilterConfig;import javax.servlet.ServletException;import javax.servlet.ServletRequest;import javax.servlet.ServletResponse;import javax.servlet. . ServletRequest;import javax.servlet. . Session;import org.apache mons.fileupload.FileItem;import org.apache mons.fileupload.FileUploadException;import org.apache mons.fileupload.disk.DiskFileItemFactory;impo