网络安全导论 实验2B 网络投票系统的实现与安全性分析

实验2B网络投票系统的实现与安全性分析一、实验目的1.学会配置JSP运行环境，初步熟悉WEB应用程序的开发过程。2.通过对一个投票系统的安全性分析，理解系统的设计者、审核者和相关管理机构的责任。二、实验准备1．网络通信中最常见的模式是B/S模式，即用户使用浏览器向某个服务器发出请求，服务器进行必要的处理后，将有关信息发给用户浏览器。在B/S模式下，服务器上必须有所谓的WEB应用程序。常用的WEB应用程序技术有JSP和ASP。JSP程序（页面）需要一个JSP引擎来运行，这个引擎就是JSP的WEB服务器Tomcat。2．在设计WEB应用时，服务器在很多情况下需要将用户提供的数据保存在在服务器端，本实验需要首先在一台机器上同时安装Tomcat服务器和Mysql数据库服务器，本实验的架构如图2-2所示：图2-2本实验的Web架构3.对于网络投票系统而言，其安全性相当重要，请读者参考教材相关内容，分析并给出网络投票系统的安全性要求，并分析相关实现办法。三、实验内容1.在Win10操作系统下下安装配置JSP运行环境（1）安装JDK1.8，设置环境变量。（2）检验安装配置是否正确。（3）安装与启动Tomcat。（4）测试：在浏览器中输入地址：http://localhost:8080,测试服务器是否成功启动。2、连接mysql数据库利用mysql-connector-java-5.1.14-bin.jar驱动包连接数据库。3.调试、运行和分析一个投票系统。首先需要创建一个数据库vote_db，将该数据库设置为一个数据源。该库有两张表candidate和user,其中candidate表有id,person和acount三个字段，用来存放候选人的id，名称和得票数；user表有id,username,idcard,password和state，用来存放投票者的id，用户名，身份证，密码和状态。本投票系统由index.jsp和stat.jsp两个页面组成，index.jsp按照user表中的候选人生成一个投票表单，用户使用该表单投票，stat.jsp是投票完成系统页面。index.jsp//投票页面<%@pagelanguage="java"contentType="text/html;charset=UTF-8" pageEncoding="UTF-8"%><%@tagliburi="/jsp/jstl/core"prefix="c"%><!DOCTYPEhtml><htmllang="zh-cn"><head><metahttp-equiv="Content-Type"content="text/html;charset=UTF-8"><metaname="viewport" content="width=device-width,initial-scale=1,maximum-scale=1,user-scalable=no"><!--SEO优化--><metaname="keywords"content="投票"><metaname="author"content="teamchen"><title>TeamChen投票案例</title><!--导入Bootstrap相关包--><linkrel="stylesheet"href="css/bootstrap.min.css"></head><body> <divclass="container-fluid"> <divclass="jumbotron"> <h1>欢迎参与投票</h1> <br/> <p>组长：陈璐140104300205</p> <p>组员：王春晓140104300123</p> <c:choose> <c:whentest="${user.username==null}"> <p> <aclass="btnbtn-primarybtn-lg"data-toggle="modal" data-target="#loginOrRegister">请验证您的身份信息</a> <pclass="bg-danger">${unLogin}</p> <pclass="bg-danger">${warning}</p> </p> </c:when> <c:whentest="${user.username!=null}"> <p> <aclass="btnbtn-primarybtn-lg"href="logout">您好！${user.username}。安全退出</a> </p> </c:when> </c:choose> </div> <formid="doVote"action="doVote"method="post"> <tableclass="tabletable-hover"> <trclass="active"> <pclass="lead">您最喜欢的课程？</p> </tr> <c:forEachitems="${canList}"var="candidate"> <tr> <td><labelid="chk_candidate"class="checkbox"><inputtype="radio" name="cid"id="candidate_id"value="${candidate.id}"> ${candidate.person} </label></td> </tr> </c:forEach> </table> <buttontype=submitclass="btnbtn-primary">提交</button> </form> </div> <!--Modal--> <divclass="modalfade"id="loginOrRegister"tabindex="-1" role="dialog"aria-labelledby="myModalLabel"> <divclass="modal-dialog"role="document"> <divclass="modal-content"> <divclass="modal-header"> <buttontype="button"class="close"data-dismiss="modal" aria-label="Close"> <spanaria-hidden="true">×</span> </button> <h4class="modal-title"id="myModalLabel">请验证您的身份信息</h4> </div> <divclass="modal-body"> <divclass="tab-content"id="userInfoTabContent"> <divclass="tab-panefadeinactive"id="register"> <formaction="register"method="post"> <divclass="form-group"> <labelfor="exampleInputEmail1">姓名</label><inputtype="text" class="form-control"name="username"placeholder="姓名"> </div> <divclass="form-group"> <labelfor="exampleInputPassword1">身份证号码</label><input type="password"class="form-control"name="idcard" placeholder="身份证号码"> </div> <divclass="form-group"> <labelfor="exampleInputPassword1">密码</label><input type="password"class="form-control"name="password" placeholder="密码"> </div> <buttontype="submit"class="btnbtn-primary">确定</button> </form> </div> </div> </div> <divclass="modal-footer"> <buttontype="button"class="btnbtn-default"data-dismiss="modal">取消</button> </div> </div> </div> </div> <scriptsrc="js/jquery-1.11.1.min.js"></script> <scriptsrc="js/bootstrap.min.js"></script> <script> <%--functionisLoginAndSubmit(){ varusername="<%=session.getAttribute("user.username")%>"; varfmdovote=document.getElementById('doVote'); alert(fmdovote); //username默认为Null if(username==null){ alert("确定？"); }else{ alert("请先登录！"); fmdovote.onsubmit=function(){ returnfalse; }; } };--%> $("#doVote").submit(function(){ alert("确定提交吗？") }); </script></body></html>stat.jsp//投票成功页面<%@pagelanguage="java"contentType="text/html;charset=UTF-8" pageEncoding="UTF-8"%><%@tagliburi="/jsp/jstl/core"prefix="c"%><!DOCTYPEhtml><htmllang="zh-cn"><head><metahttp-equiv="Content-Type"content="text/html;charset=UTF-8"><metaname="viewport" content="width=device-width,initial-scale=1,maximum-scale=1,user-scalable=no"><!--SEO优化--><metaname="keywords"content="投票"><metaname="author"content="teamchen"><title>TeamChen投票案例</title><!--导入Bootstrap相关包--><linkrel="stylesheet"href="css/bootstrap.min.css"></head><body> <divclass="container"> 提交成功 </div> <scriptsrc="js/jquery-1.11.1.min.js"></script> <scriptsrc="js/bootstrap.min.js"></script></body></html>edu.bzsecure.pojo/Candidate.java//实体类packageedu.bzsecure.pojo;publicclassCandidate{privateIntegerid;privateStringperson;privateIntegeracount;publicIntegergetId(){returnid;}publicvoidsetId(Integerid){this.id=id;}publicStringgetPerson(){returnperson;}publicvoidsetPerson(Stringperson){this.person=person==null?null:person.trim();}publicIntegergetAcount(){returnacount;}publicvoidsetAcount(Integeracount){this.acount=acount;}}edu.bzsecure.pojo/User.java//实体类packageedu.bzsecure.pojo;publicclassUser{privateIntegerid;privateStringusername;privateStringidcard;privateStringpassword;privateIntegerstate;publicIntegergetId(){returnid;}publicvoidsetId(Integerid){this.id=id;}publicStringgetUsername(){returnusername;}publicvoidsetUsername(Stringusername){this.username=username==null?null:username.trim();}publicStringgetIdcard(){returnidcard;}publicvoidsetIdcard(Stringidcard){this.idcard=idcard==null?null:idcard.trim();}publicStringgetPassword(){returnpassword;}publicvoidsetPassword(Stringpassword){this.password=password==null?null:password.trim();}publicIntegergetState(){returnstate;}publicvoidsetState(Integerstate){this.state=state;}}edu.bzsecure.mapper/CandidateMapper.java//映射类packageedu.bzsecure.mapper;importjava.util.List;importedu.bzsecure.pojo.Candidate;publicinterfaceCandidateMapper{ //投票 voidupdateAcountById(Integercid);}edu.bzsecure.mapper/UserMapper.java//映射类packageedu.bzsecure.mapper;importedu.bzsecure.pojo.User;publicinterfaceUserMapper{intdeleteByPrimaryKey(Integerid);intinsert(Userrecord);intinsertSelective(Userrecord);}edu.bzsecure.controller/UserController.javapackageedu.bzsecure.controller;importjavax.servlet.http.HttpSession;importorg.springframework.beans.factory.annotation.Autowired;importorg.springframework.stereotype.Controller;importorg.springframework.web.bind.annotation.RequestMapping;importorg.springframework.web.bind.annotation.RequestParam;importedu.bzsecure.pojo.User;importedu.bzsecure.service.UserService;@ControllerpublicclassUserController{ @Autowired privateUserServiceuserService; @RequestMapping("/register") publicStringregister(HttpSessionsession, @RequestParam("username")Stringusername, @RequestParam("idcard")Stringidcard, @RequestParam("password")Stringpassword){ Useruser=newUser(); user.setUsername(username); user.setIdcard(idcard); user.setPassword(password); user.setState(1); userService.insertUser(user); session.setAttribute("user",user); return"redirect:/"; } @RequestMapping("/logout") publicStringregister(HttpSessionsession){ session.invalidate(); return"redirect:/"; } }edu.bzsecure.controller/PageController.javapackageedu.bzsecure.controller;importjava.util.ArrayList;importjava.util.List;importorg.springframework.beans.factory.annotation.Autowired;importorg.springframework.stereotype.Controller;importorg.springframework.ui.Model;importorg.springframework.web.bind.annotation.RequestMapping;importedu.bzsecure.pojo.Candidate;importedu.bzsecure.service.CandidateService;@ControllerpublicclassPageController{ @Autowired privateCandidateServicecandidateService; @RequestMapping("/") publicStringgetIndex(Modelmodel){ List<Candidate>canList=newArrayList<>(); canList=candidateService.findAllCandidate(); model.addAttribute("canList",canList); return"index"; } }edu.bzsecure.controller/UserController.javapackageedu.bzsecure.controller;importjavax.servlet.http.HttpServletRequest;importjavax.servlet.http.HttpSession;importorg.apache.solr.client.solrj.response.FacetField.Count;importorg.springframework.beans.factory.annotation.Autowired;importorg.springframework.stereotype.Controller;importorg.springframework.web.bind.annotation.RequestMapping;importorg.springframework.web.bind.annotation.RequestParam;importcom.alibaba.druid.sql.dialect.oracle.ast.stmt.OracleIfStatement.Else;importedu.bzsecure.pojo.User;importedu.bzsecure.service.DoVoteService;@ControllerpublicclassVoteController{ privateintCOUNT=1; @Autowired privateDoVoteServicedoVoteService; @RequestMapping("/doVote") publicStringdoVote(@RequestParam("cid")Stringcid,HttpServletRequestreq){ HttpSessionsession=req.getSession(); Useruser=(User)session.getAttribute("user"); if(user!=null&&COUNT==1){ doVoteService.updateAcountById(Integer.parseInt(cid)); COUNT=0; session.setAttribute("warning","您已经投过票了!"); return"stat"; }elseif(COUNT==0){ session.setAttribute("warning","您已经投过票了!"); return"redirect:/"; }else{ session.setAttribute("unLogin","←请先进行登录,再投票！"); return"redirect:/"; } } }edu.bzsecure.service.impl/CandidateService.javapackageedu.bzsecure.service.impl;importjava.util.ArrayList;importjava.util.List;importorg.springframework.beans.factory.annotation.Autowired;importorg.springframework.stereotype.Service;importedu.bzsecure.mapper.CandidateMapper;importedu.bzsecure.pojo.Candidate;importedu.bzsecure.service.CandidateService;@Service("c