加入监听和过滤器来实现url地址的控制.在项目中很实用.

最新推荐文章于 2021-12-18 19:41:28 发布

iteye_1144

最新推荐文章于 2021-12-18 19:41:28 发布

阅读量225

点赞数

分类专栏： java 文章标签： Servlet XML Apache log4j Web

java 专栏收录该内容

26 篇文章 0 订阅

订阅专栏

好处: 不用再在N多个页面包含

 if(session.getAttribute("user")==null)
    	response.sendRedirect("index.htm");

这样的垃圾代码了.

首先说下主要代码实现方式:

web.xml中的监听和过滤器:

<context-param>
                 <!-- 允许不登陆就可以访问的页面参数 -->
    	<param-name>allowPath</param-name> 
                <!-- xml配置实现参数配置 -- >               
   	<param-value>allowPath.xml</param-value>
  	</context-param>
	
	<filter>
                            <!-- 监听url请求,验证是否可以访问 -- >
		<filter-name>UserAdmin</filter-name>
		<filter-class>com.thams.framework.filter.AuthFilter</filter-class>
		<init-param>
			<param-name>allowRole</param-name>
			<param-value>1</param-value>
		</init-param>
	</filter>
	<!-- 初始化xml的配置.把允许访问的url在xml中的配置读取进来 -- >
	<filter-mapping>
		<filter-name>UserAdmin</filter-name>
                                    <!-- 默认是该工程下所有请求都监听 -- >
		<url-pattern>/*</url-pattern>
	</filter-mapping>
	
	<listener>
    	<listener-class>com.thams.framework.listener.ContextListener</listener-class>
 	</listener>

allowPath.xml 允许访问的url地址放在src下.如果改变比如在WEB-INF下.需要修改文件读取路径

<?xml version="1.0" encoding="GB2312"?>
<Config>
    <!-- unprotectedurl 系统不受访问限制的URL配置文件 -->
   <unprotectedurls>
   <unprotectedurl url="collectAction.do"/>
    <unprotectedurl url="loginAction.do"/>
    <unprotectedurl url="login.jsp"/>
    <unprotectedurl url="login.html"/>
    <unprotectedurl url="js"/>
    <unprotectedurl url="css"/>
    <unprotectedurl url="jpg"/>
    <unprotectedurl url="gif"/>
    <unprotectedurl url="png"/>
   </unprotectedurls>
</Config>

AuthFilter.java 过滤器

/*
 * @(#)RoleDAO.java        2005/10/18
 *
 * Copyright (c) 2003-2005 ASPire Technologies, Inc.
 * 6/F,IER BUILDING, SOUTH AREA,SHENZHEN HI-TECH INDUSTRIAL PARK Mail Box:11# 12#.
 * All rights reserved.
 */
package com.thams.framework.filter;

import java.io.File;
import java.io.IOException;
import java.util.ArrayList;
import java.util.Iterator;
import java.util.List;

import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

import org.apache.commons.lang.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.log4j.Logger;
import org.jdom.Element;
import org.jdom.input.SAXBuilder;

import com.thams.user.UserSession;

/**
 * <p>
 * Title: securityservice
 * </p>
 * 
 * @author liuyuhua
 * @version 1.0
 */
public class AuthFilter extends HttpServlet implements Filter {
	private static final long serialVersionUID = -2641564339123115818L;
	private FilterConfig filterConfig;
	private static Logger log = Logger.getLogger(AuthFilter.class);
	public static ArrayList unProtectedRes = null;
	private static Element rootElement = null;
	/**
	 * 重定向的URL
	 */
	private String redirectURl = null;

	public AuthFilter() {
	}

	public void init(FilterConfig filtercfg)
			throws javax.servlet.ServletException {
		getUnprotectedResources();
		redirectURl = "login.html";
	}

	/**
	 * 在过滤器中实现权限控制
	 */
	public void doFilter(ServletRequest sRequest, ServletResponse sResponse,
			FilterChain filterChain) throws IOException, ServletException {
		HttpServletRequest request = (HttpServletRequest) sRequest;
		HttpServletResponse response = (HttpServletResponse) sResponse;
		// 获取网站根目录
		String path = request.getContextPath();
		String basePath = request.getScheme() + "://" + request.getServerName()
				+ ":" + request.getServerPort() + path + "/";
		try {
			if (UserSession.isLogin(request)) { //如果登陆或者没有登陆但是有该url访问权限
				filterChain.doFilter(request, response);
				return;
			} 
			if(isUnprotectedUrl(request)){
				filterChain.doFilter(request, response);
				return;
			}else {
				response.sendRedirect(basePath + redirectURl);
				return;
			}
		} catch (Exception e) {
			log.error("AuthFilter error:", e);
		}
	}

	/**
	 * 是否有该页面访问权限
	 * @param request
	 * @return
	 */
	private boolean isUnprotectedUrl(HttpServletRequest request) {
		String url = request.getRequestURI().toString();
		int index = url.lastIndexOf("/");
		if (index > -1) {
			url = url.substring(index + 1);
		}
		for (int i = 0; i < unProtectedRes.size(); i++) {
			String temp = (String) unProtectedRes.get(i);
			if (url.endsWith(temp))
				return true;
		}
//		if (url.endsWith(".do")) {
//			url = url + "?" + request.getQueryString();
//			for (int i = 0; i < unProtectedRes.size(); i++) {
//				String temp = (String) unProtectedRes.get(i);
//				if (url.indexOf(temp) > -1)
//					return true;
//			}
//		}
		return false;
	}

	public void destroy() {
	}

	/**
	 * 载入配置文件
	 * 
	 * @param cfg
	 *            配置文件名称
	 */
	public static void load(String cfg) {
		try {
			rootElement = new SAXBuilder().build(new File(cfg))
					.getRootElement();
		} catch (Exception e) {
			log.error(e.getMessage());
		}
	}

	/**
	 * 获得配置文件中指定名称的Element
	 * 
	 * @param elementName
	 * @return
	 */
	public static Element getElement(String elementName) {
		return rootElement.getChild(elementName);
	}

	/**
	 * 获取不受访问限制的资源信息列表，调用之前需要先执行load()方法；
	 */
	public static void getUnprotectedResources() {

		if (unProtectedRes == null) {
			unProtectedRes = new ArrayList();
			List urlList = new ArrayList();
			Element interceptors = getElement("unprotectedurls");
			urlList = interceptors.getChildren("unprotectedurl");
			Iterator it = urlList.iterator();
			Element tmpElement = null;
			while (it.hasNext()) {
				tmpElement = (Element) it.next();
				unProtectedRes.add(tmpElement.getAttributeValue("url"));
			}
		}
	}

	public static void main(String[] args) {

		AuthFilter tools = new AuthFilter();
		tools.load("allowPath.xml");
		tools.getUnprotectedResources();
//		System.out.println(unProtectedRes.toString());

	}

}

ContextListener.java 监听. 其实这个可以放在servlet的init方法中,只要实现启动时候加载下就可以了

package com.thams.framework.listener;

import java.io.File;
import java.io.IOException;
import java.net.MalformedURLException;
import java.util.Enumeration;

import javax.servlet.ServletContext;
import javax.servlet.ServletContextEvent;
import javax.servlet.ServletContextListener;
import javax.servlet.http.HttpServlet;

import org.apache.log4j.Logger;

import com.thams.codetable.CodeTableCollection;
import com.thams.codetable.CodeTableService;
import com.thams.framework.ServiceFactory;
import com.thams.framework.filter.AuthFilter;

public class ContextListener extends HttpServlet implements
		ServletContextListener {
	private static Logger log = Logger.getLogger(ContextListener.class);
	/**
	 * web应用启动的时候会执行，方法里面可以初始化配置文件，启动线程等初始化操作
	 * 
	 * @param sce
	 *            ServletContextEvent
	 */
	public void contextInitialized(ServletContextEvent sce) {
		ServletContext servletContext = sce.getServletContext();
		Enumeration enumeration = servletContext.getInitParameterNames();
		//在application context里面放入字段信息的数据结构
		String key = null;
		String value = null;
		while (enumeration.hasMoreElements()) {
			key = (String) enumeration.nextElement();
			value = servletContext.getInitParameter(key);
			if (key.equals("allowPath")) {
				// to load unprotected parameters
				try {
					String configPath = this.getClass().getClassLoader().getResource("allowPath.xml").getFile();//("allowPath.xml").getPath();
					configPath = java.net.URLDecoder.decode(configPath,"utf-8");
					AuthFilter.load(configPath);
					log.debug("unprotected resource infomation has loaded.");
				} catch (Exception ex) {
					log.error("Failed to load unprotected resource infomation "+ex.getMessage());
				}
			}

		}
	}

	public void contextDestroyed(ServletContextEvent sce) {
	}

}

这样配置后.

比如你的工程叫AMS

则所有访问http://你的服务器IP:端口/AMS/* 路径的url都将被AuthFilter.java这个过滤器过滤.里面可以是你自己的逻辑.也可以是只是判断用户是否已经登陆.

UserSession.java 放上来大家参考下.估计对大家有用.

package com.thams.user;

import javax.servlet.http.HttpServletRequest;

import com.thams.dao.po.SUser;
import com.thams.userRoleRight.UserRoleRight;

/**
 * @Function: 方便用户得到和set UserSession
 * @author: luyu
 * @date: Nov 12, 2008
 */
public class UserSession {
	
	public static final String USER_SESSION = "userSession";
	
	/**
	 * 判断用户是否登陆
	 * @param request
	 * @return 如果是返回true，否则返回false
	 */
	public static boolean isLogin(HttpServletRequest request) {
		UserSession userSession = (UserSession)request.getSession(true).getAttribute(USER_SESSION);
		if (userSession!=null) {
			return true;
		}
		return false;
	}
	
	public static boolean logout(HttpServletRequest request) {
		UserSession userSession = (UserSession)request.getSession(true).getAttribute(USER_SESSION);
		if (null != userSession) {
			return true;
		}
		return true;
	}
	
	/**
	 * 从session中得到用户名
	 * @param request
	 * @return 返回用户名
	 */
	public static SUser getUser(HttpServletRequest request){
		UserSession userSession = (UserSession) request.getSession(true).getAttribute(USER_SESSION);
		if(null == userSession){
			return null;
		}
		return userSession.getUser();
	}
	
	/**
	 * 保存userSession到HttpSession里
	 * @param request
	 * @param userSession 
	 */
	public static void saveUserSession(HttpServletRequest request,UserSession userSession){
		request.getSession(true).setAttribute(USER_SESSION, userSession);
	}
	
	/**
	 * @function: 得到UserSession
	 * @author: luyu
	 * @data: Sep 3, 2008
	 * @param request
	 * @return 得到UserSession
	 */
	public static UserSession getUserSession(HttpServletRequest request){
		UserSession userSession = (UserSession)request.getSession(true).getAttribute(USER_SESSION);
		if (userSession == null) {
			return null;
		}
		return userSession;
	}
	

	public SUser getUser() {
		return user;
	}


	public void setUser(SUser user) {
		this.user = user;
	}


	public UserRoleRight getUserRoleRight() {
		return userRoleRight;
	}


	public void setUserRoleRight(UserRoleRight userRoleRight) {
		this.userRoleRight = userRoleRight;
	}
	
	private SUser user = null;
	
	private UserRoleRight userRoleRight= null;
}