1.在jsp页面 会使用许多的iframe,用户可以F12知道 菜单的url路径,然后可以直接URL访问,或者修改IFRAME中的src地址。
这个时候有两种方法禁止直接访问iframe的内容,首先是js加载时候禁止,
/*
* 只允许,同一域名下IFRAME 凨来了
*/
var url = '${pageContext.request.contextPath}/login';
if (parent.window.location.host != window.location.host && top.window.location.href != window.location.href)
{
top.window.location.href = url;
} else if (top == self) {
top.window.location.href = url;
},但是必须在页面加载前起作用,不然页面还是会一闪而过。
2.其次就在后台controller中 加入过滤。
package com.anyinfo.bjwq.interceptor;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import org.springframework.web.servlet.HandlerInterceptor;
import org.springframework.web.servlet.handler.HandlerInterceptorAdapter;
import com.anyinfo.bjwq.model.Admin;
/**
* 登录拦截器
* @author kevin
*
*/
public class LoginInterceptor extends HandlerInterceptorAdapter implements HandlerInterceptor{
public boolean preHandle(HttpServletRequest request,
HttpServletResponse response, Object handler) throws Exception {
HttpSession session = request.getSession();
Admin admin = (Admin) session.getAttribute("loginUser");
if(admin==null){
response.sendRedirect(request.getContextPath()+"/login");
return false;
}
String getRequestURI = request.getRequestURI();
String idnex=request.getContextPath()+"/index";
String referer=request.getHeader("Referer");
if(referer==null && !idnex.equals(getRequestURI)) {
response.sendRedirect(request.getContextPath()+"/index");
return false;
}
//AuthorityService authorityService = (AuthorityService) SpringContextUtils.getBean("authorityService");
//List<Authority> authorities = authorityService.getTotalAuthorityLists();
//走权限的判断,获取当前url的地址。并判断该url的地址是否在权限的集合体系之内,如果不在则抛出异常,跳转到异常的页面
//String url = request.getServletPath();
//System.out.println(url);
return super.preHandle(request, response, handler);
}
}
通过判断Referer是否为null,来判断是否是来之页面的菜单访问还是url直接访问。
然后在配置文件中加入mvc:interceptor
<!-- 登录拦截器 -->
<mvc:interceptor>
<mvc:mapping path="/**"/>
<mvc:exclude-mapping path="/login"/>
<mvc:exclude-mapping path="/login/drawCheckCode"/>
<mvc:exclude-mapping path="/resources/**"/>
<mvc:exclude-mapping path="/api/**"/>
<mvc:exclude-mapping path="/wechat/**"/>
<mvc:exclude-mapping path="/web/**"/>
<bean class="LoginInterceptor">
</bean>
</mvc:interceptor>