작성자: 전은수팀장/오픈이지 보안기술팀
1. jcaptcha-1.0-all.jar와 commons-collections-3.2.1.jar를 lib에 넣는다
D:\javaDev\workspace\openeg\WebContent\WEB-INF\lib
2.write.jsp에 다음 내용을 추가한다
<input type="hidden" name="hidCaptchaID" value="<%= session.getId() %>"/>
Enter these letters: <img class="captcha" src="getCaptcha.do"
align="middle" alt="Enter the characters appearing in this image" border="10 "/>
<input type="text" name="inCaptchaChars"/>
3. MyCaptchaService.java를 작성한다
package kr.co.openeg.lab.test;
import com.octo.captcha.service.image.ImageCaptchaService;
import com.octo.captcha.service.image.DefaultManageableImageCaptchaService;
public class MyCaptchaService
{
// a singleton class
private static ImageCaptchaService instance = new DefaultManageableImageCaptchaService();
public static ImageCaptchaService getInstance()
{
return instance;
}
}
4. BoardController.java에 다음 내용을 추가한다.
/////////////////////////////////////////////////
@RequestMapping(value = "/getCaptcha.do")
protected void getCaptcha(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
String sImgType = "png";
ByteArrayOutputStream imgOutputStream = new ByteArrayOutputStream();
byte[] captchaBytes;
if (request.getQueryString() != null) {
response.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR,
"GET request should have no query string.");
return;
}
try {
// Session ID is used to identify the particular captcha.
String captchaId = request.getSession().getId();
// Generate the captcha image.
BufferedImage challengeImage = MyCaptchaService.getInstance()
.getImageChallengeForID(captchaId,request.getLocale());
ImageIO.write(challengeImage, sImgType, imgOutputStream);
captchaBytes = imgOutputStream.toByteArray();
// Clear any existing flag.
request.getSession().removeAttribute("PassedCaptcha");
} catch (CaptchaServiceException cse) {
System.out.println("CaptchaServiceException - " + cse.getMessage());
response.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR,
"Problem generating captcha image.");
return;
} catch (IOException ioe) {
System.out.println("IOException - " + ioe.getMessage());
response.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR,
"Problem generating captcha image.");
return;
}
// Set appropriate http headers.
response.setHeader("Cache-Control", "no-store");
response.setHeader("Pragma", "no-cache");
response.setDateHeader("Expires", 0);
response.setContentType("image/" + (sImgType.equalsIgnoreCase("png") ? "png" : "jpeg"));
// Write the image to the client.
ServletOutputStream outStream = response.getOutputStream();
outStream.write(captchaBytes);
outStream.flush();
outStream.close();
}
///////////////////////////////////////
protected boolean processCaptcha( HttpServletRequest request)
{
// Get the request params.
Map paramMap = request.getParameterMap();
if ( paramMap.isEmpty() )
{
return false;
}
String[] arr1 = (String[])paramMap.get( "hidCaptchaID" );
String[] arr2 = (String[])paramMap.get( "inCaptchaChars" );
System.out.println("========>"+arr1[0]+":"+arr2[0]);
if ( arr1==null || arr2==null )
{
return false;
}
String sessId = request.getSession().getId();
String incomingCaptchaId = arr1.length>0 ? arr1[0] : "";
String inputChars = arr2.length>0 ? arr2[0] : "";
// Check validity and consistency of the data.
if ( sessId==null || incomingCaptchaId==null || !sessId.equals(incomingCaptchaId) )
{
return false;
}
// Validate whether input from user is correct.
System.out.println( "Validating - inputChars are: " + inputChars );
boolean passedCaptchaTest = validateCaptcha( incomingCaptchaId, inputChars );
System.out.println(passedCaptchaTest);
// Set flag into session.
request.getSession().setAttribute( "PassedCaptcha", new Boolean(passedCaptchaTest) );
return passedCaptchaTest;
}
///////////////////////////////////////////////
private boolean validateCaptcha( String captchaId, String inputChars )
{
boolean bValidated = false;
try
{
bValidated = MyCaptchaService.getInstance().validateResponseForID( captchaId, inputChars );
}
catch( CaptchaServiceException cse )
{cse.printStackTrace();}
return bValidated;
}
//////////////////////////////////////////////////
@RequestMapping(value="/write.do", method=RequestMethod.POST)
public String boardWriteProc(@ModelAttribute("BoardModel") BoardModel boardModel,
MultipartHttpServletRequest request, HttpSession session){
if(!processCaptcha(request)){
System.out.println("captcha test fail!");
session.setAttribute("writeErrorCode", 3);
return "redirect:list.do";
}
MultipartFile file = request.getFile("file");
...
'보안 > 시큐어코딩' 카테고리의 다른 글
[HTML5 시큐어코딩] CORS를 이용한 개인정보 탈취 (0) | 2014.12.18 |
---|---|
[HTML5 시큐어코딩] HTML5 신규기능에 대한 보안 위협 (0) | 2014.12.18 |
[시큐어코딩실습] 패스워드 정책 적용 (0) | 2014.12.02 |
[위협모델링] DREAD 스코어링 정책 (0) | 2014.12.01 |
DB암호화 (0) | 2014.11.08 |