I'm wondering how to protect the admin access file in this way
$login="Логин"; $password="пароль в MD5"; if (!isset($_SERVER['PHP_AUTH_USER']) || $_SERVER['PHP_AUTH_USER']!==$login || md5($_SERVER ['PHP_AUTH_PW'])!==$password) { header('WWW-Authenticate: Basic realm="Protection of the admin panel"'); header('HTTP/1.0 401 Unauthorized'); exit("Пошел вон от сюда !");} I know how to make such protection on the server, but the admin panel on the server, or rather iweb, is written in jsp and it is very easy to hack. I would also like to protect the authorization page in this way. How to do it? The authorization page looks like this:
<%@page contentType="text/html; charset=UTF-8"%> <%@page import="java.io.*"%> <%@page import="java.util.*"%> <% boolean showTag = false; if (request.getSession().getAttribute("username")!=null) showTag = true; boolean Proc = false; if (request.getParameter("password")!=null) Proc = true; if (showTag) Proc = false; if(Proc) { String username = request.getParameter("username"); String password = request.getParameter("password"); String loginrecord = null; int separatorIndex = 0; String recordUsername = null; String recordPassword = null; int recordLength = 0; boolean matchTag = false; try{ FileReader fr = new FileReader("/opt/jakarta-tomcat-5.5.9/webapps/iweb/loginlist.txt"); BufferedReader br = new BufferedReader(fr); loginrecord = new String(); while((loginrecord=br.readLine())!=null && !matchTag){ recordLength = loginrecord.length(); separatorIndex = loginrecord.indexOf(":"); recordUsername = loginrecord.substring(0, separatorIndex); recordPassword = loginrecord.substring(separatorIndex+1,recordLength); if(recordUsername.compareTo(username)==0){ if((recordPassword.compareTo(password)==0)) matchTag = true; } } if(matchTag){ FileWriter fw = new FileWriter("/opt/jakarta-tomcat-5.5.9/webapps/iweb/login.log",true); BufferedWriter bw = new BufferedWriter(fw); Date dateToday = new Date(); String logStr = recordUsername+":login:"+dateToday; bw.write(logStr); bw.newLine(); bw.close(); bw = null; fw = null; } fr = null; br = null; }catch(Exception e){ out.println("Error!"+e.getMessage()); } if(matchTag){ request.getSession().setAttribute("username", username); response.sendRedirect("index.jsp"); } else { response.sendRedirect("loginform.jsp?err=1"); } } else { %> <html> <head> <% @include file="include/head.jsp"%> </head> <body> <table width="96%" border="0" cellpadding="0" cellspacing="0"> <tr align="center"><td><img src="/iweb/images/pw-header.jpg"></img></td></tr> </table> <table width="100%" border="0" cellpadding="0" cellspacing="0"> <% if(showTag) {%> <tr><td colspan="2" class="ver_12_black_b"> Вы уже авторизованны!</td></tr> <% } else { String strErr = ""; if(request.getParameter("err")!=null && request.getParameter("err").equals("1")) strErr = "Неверно!!";%> <tr><td colspan="2" class="ver_12_black_b"> Напишитн что хз:</td></tr> <tr><td colspan="2"> </td></tr> <tr> <td width="5%"></td> <td width="95%"> <form name="login" action="loginform.jsp"> <table width="100%" border="0" cellspacing="0" cellpadding="2"> <% if(!strErr.equals("")){ %> <tr bgcolor="#FFFFFF"><td colspan="2" class="ver_10_red"><%=strErr%></td></tr><%}%> <tr><td width="10%" class="ver_10_black">Пользователь:</td> <td width="90%"><input type="text" name="username" value=""></td> </tr> <tr><td width="10%" class="ver_10_black">Пользователь2:</td> <td width="90%"><input type="text" name="password" value=""></td> </tr> <tr><td class="ver_10_black">Пароль:</td> <td><input type="password" name="username" value=""></td> </tr> <tr> <td></td> <td> <input type="submit" value="Вход" class="button"> <input type="reset" value="Отмена" class="button"> </td> </tr> </table> </form> </td> </tr> <tr><td colspan="2"> </td></tr> <tr><td colspan="2"> </td></tr><% }%> </table> </body> </html><% }%> 
