我正在使用struts 2
和开发Java Web应用程序hibernate
。我想限制用户通过直接在地址栏上键入来调用任何struts动作。相反,用户应该使用JSP页面本身提供的链接,因为在我的应用程序中,访问级别很多,因此,现在用户可以通过直接在地址栏上输入操作名称来进行未经授权的访问。在返回成功之前,我已经检查了每个功能上已登录用户的访问级别。但这不是在所有地方进行检查的好习惯。我搜索过要使用的方法java Filters
,但没有成功。
我用来实现过滤器的方法如下:
web.xml(Security
是我的包名称,SessionFilter
是servlet
类)
<filter>
<filter-name>SessionFilter</filter-name>
<filter-class>
Security.SessionFilter
</filter-class>
<init-param>
<param-name>avoid-urls</param-name>
<param-value>Index.jsp</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>SessionFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
Index.jsp
是我的应用程序的入口点,因此我只允许通过在地址栏上键入其他内容来直接访问此页面。而且,如果用户在地址栏上键入任何其他操作名称,则应该将他/她再次重定向到登录页面,这就是为什么在下面的代码中我已将其编写为response.sendRedirect("Index.jsp");
SessionFilter.java
import java.io.IOException;
import java.util.ArrayList;
import java.util.StringTokenizer;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
public class SessionFilter implements Filter {
private ArrayList<String> urlList;
public void destroy() {
}
public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException {
HttpServletRequest request = (HttpServletRequest) req;
HttpServletResponse response = (HttpServletResponse) res;
String url = request.getServletPath();
boolean allowedRequest = false;
if (urlList.contains(url)) {
allowedRequest = true;
}
if (!allowedRequest) {
HttpSession session = request.getSession(false);
if (null == session) {
response.sendRedirect("Index.jsp");
}
}
chain.doFilter(req, res);
}
public void init(FilterConfig config) throws ServletException {
String urls = config.getInitParameter("avoid-urls");
StringTokenizer token = new StringTokenizer(urls, ",");
urlList = new ArrayList<String>();
while (token.hasMoreTokens()) {
urlList.add(token.nextToken());
}
}
}
我为我的问题找到了解决方案,并在我的应用程序中成功实现。非常感谢所有有用的答案和建议。
无论我实现了如下:
web.xml
<filter-mapping>
<filter-name>struts2</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter>
<filter-name>SessionFilter</filter-name>
<filter-class>
Security.SessionFilter
</filter-class>
</filter>
<filter-mapping>
<filter-name>SessionFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
SessionFilter.java
package Security;
import java.io.IOException;
import java.util.ArrayList;
import java.util.StringTokenizer;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.RequestDispatcher;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
public class SessionFilter implements Filter {
public void destroy() {
}
public void doFilter(ServletRequest req, ServletResponse resp, FilterChain chain) throws IOException, ServletException {
if (req instanceof HttpServletRequest) {
req.setCharacterEncoding("UTF-8");
HttpServletRequest request = (HttpServletRequest) req;
String referrer = request.getHeader("referer");
if (null == request.getSession(true).getAttribute("emp_id")) {
if (referrer == null) {
if (isSessionExcluded(req)) {
req.setAttribute("isSessionExpire", "true");
RequestDispatcher reqDisp = req.getRequestDispatcher("/Index.jsp");
reqDisp.forward(req, resp);
}
}
} else {
if (referrer == null) {
RequestDispatcher reqDisp = req.getRequestDispatcher("/Error.jsp");
reqDisp.forward(req, resp);
}
}
chain.doFilter(req, resp);
}
}
public void init(FilterConfig config) throws ServletException {
}
private boolean isSessionExcluded(ServletRequest req) {
if (req instanceof HttpServletRequest) {
HttpServletRequest request = (HttpServletRequest) req;
String contextPath = request.getContextPath();
String reqUri = request.getRequestURI();
if (!(contextPath + "/Index.jsp").equals(reqUri)) {
return true;
}
}
return false;
}
}
我用
String referrer = request.getHeader("referer");
的doFilter
方法。这将区分请求,是通过在地址栏上键入还是通过单击某些链接生成的请求。在当通过地址栏中键入生成的请求的情况下,的值引荐将是零。
我希望此解决方案也对其他人有所帮助。
本文收集自互联网,转载请注明来源。
如有侵权,请联系 [email protected] 删除。
我来说两句