学jsp这么长时间,做的项目也有七八个了,可所有的项目都是用户登录就直接跳转到其拥有权限的页面,或者显示可访问页面的链接。使用这种方式来幼稚地控制访问权限。从来没有想过如果我没有登录,直接输入地址也可以直接访问用户的页面的。
在jsp中权限的控制是通过Filter过滤器来实现的,所有的开发框架中都集成有Filter,如果不适用开发框架则有如下实现方法:
LoginFilter.java
public class LoginFilter implements Filter { |
private String permitUrls[] = null; |
private String gotoUrl = null; |
public void doFilter(ServletRequest request, ServletResponse response, |
FilterChain chain) throws IOException, ServletException { |
HttpServletRequest res=(HttpServletRequest) request; |
HttpServletResponse resp=(HttpServletResponse)response; |
if (!isPermitUrl(request)){ |
if (filterCurrUrl(request)){ |
System.out.println( "--->请登录" ); |
resp.sendRedirect(res.getContextPath()+gotoUrl); |
System.out.println( "--->允许访问" ); |
chain.doFilter(request, response); |
public boolean filterCurrUrl(ServletRequest request){ |
HttpServletRequest res=(HttpServletRequest) request; |
User user =(User) res.getSession().getAttribute( "user" ); |
public boolean isPermitUrl(ServletRequest request) { |
boolean isPermit = false; |
String currentUrl = currentUrl(request); |
if (permitUrls != null && permitUrls.length > 0) { |
for (int i = 0; i < permitUrls.length; i++) { |
if (permitUrls[i].equals(currentUrl)) { |
public String currentUrl(ServletRequest request) { |
HttpServletRequest res = (HttpServletRequest) request; |
String task = request.getParameter( "task" ); |
String path = res.getContextPath(); |
String uri = res.getRequestURI(); |
uri = uri.substring(path.length(), uri.length()) + "?" + "task=" |
uri = uri.substring(path.length(), uri.length()); |
System.out.println( "当前请求地址:" + uri); |
public void init(FilterConfig filterConfig) throws ServletException { |
String permitUrls = filterConfig.getInitParameter( "permitUrls" ); |
String gotoUrl = filterConfig.getInitParameter( "gotoUrl" ); |
if (permitUrls != null && permitUrls.length() > 0) { |
this.permitUrls = permitUrls.split( "," ); |
Web.xml
<filter-name>loginFilter</filter-name> |
<filter- class >filter.LoginFilter</filter- class > |
<param-name>ignore</param-name> |
<param-value>false</param-value> |
<param-name>permitUrls</param-name> |
<param-value>/,/servlet/Loginservlet?task=login,/ public .jsp,/login.jsp</param-value> |
<param-name>gotoUrl</param-name> |
<param-value>/login.jsp</param-value> |
<filter-name>loginFilter</filter-name> |
<url-pattern>/*</url-pattern> |
关于Filter配置和原理不懂得可以查看本站文章:Web过滤器Filter的原理与创建 | X-Dang http://xdang.org/post-491.html
这短代码主要实现了用户登录的过滤,权限过滤原理相同。只需要把判断用户是否登录换成是否有权限就可以了!