在项目中,为了防止用户直接输入静态资源地址访问资源,可以用过滤器来做权限Check
在web.xml中,添加ResourceFilter:
<filter>
<filter-name>resourceFilter</filter-name>
<filter-class>com.thinkgem.jeesite.common.filter.ResourceFilter</filter-class>
<init-param>
<param-name>ignores</param-name>
<param-value>/upload,/static/images</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>resourceFilter</filter-name>
<url-pattern>*</url-pattern>
</filter-mapping>
ResourceFilter.java
package com.thinkgem.jeesite.common.filter;
import java.io.IOException;
import java.util.HashSet;
import java.util.Set;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
public class ResourceFilter implements Filter {
private Set<String> prefixIignores = new HashSet<String>();
public void doFilter(ServletRequest req, ServletResponse res,
FilterChain chain) throws IOException, ServletException {
HttpServletRequest request = (HttpServletRequest) req;
HttpServletResponse response = (HttpServletResponse) res;
if (canIgnore(request)) {
String path = request.getContextPath();
String basePath = request.getScheme()+"://"+request.getServerName()+":"+request.getServerPort()+path;
response.setHeader("Cache-Control", "no-store");
response.setDateHeader("Expires", 0);
response.setHeader("Prama", "no-cache");
response.sendRedirect(basePath + "/f");
return;
}
try {
chain.doFilter(request, response);//已经登录
} catch (Exception e) {
e.printStackTrace();
} finally {
}
}
public void init(FilterConfig config) throws ServletException {
String cp = config.getServletContext().getContextPath();
String ignoresParam = config.getInitParameter("ignores");
String[] ignoreArray = ignoresParam.split(",");
for (String s : ignoreArray) {
prefixIignores.add(cp + s);
}
}
@Override
public void destroy() {
prefixIignores = null;
}
private boolean canIgnore(HttpServletRequest request) {
String url = request.getRequestURI();
for (String ignore : prefixIignores) {
if (url.startsWith(ignore)) {
return true;
}
}
return false;
}
}
当用户访问upload文件夹和static/images文件夹下资源的时候,跳到 /f 画面。
当然,在canIgnore里面也可以加权限等判断。
这样,在输入诸如http://localhost:8080/Project/upload/1.jpg的时候,会直接跳到http://localhost:8080/Project/f画面。
即使不是直接输入资源地址,而是在某个画面中用<img src="http://localhost:8080/Project/static/images/default_img.jpg" /> ,图片也不会被显示。
但这时画面无法跳转。