java when循环,Java过滤器无限循环

I want to implement a filter to do the authentication, but somehow it is stuck in infinite loop... Any idea appreciated.

HttpServletRequest httpRequest = (HttpServletRequest) request;

HttpServletResponse httpResponse = (HttpServletResponse) response;

doBeforeProcessing(request, response);

Throwable problem = null;

HttpSession session = httpRequest.getSession(true);

if(session.getAttribute("userName")!=null&&session.getAttribute("userName")!=(""))

{

try {

chain.doFilter(request, response);

} catch (Throwable t) {

// If an exception is thrown somewhere down the filter chain,

// we still want to execute our after processing, and then

// rethrow the problem after that.

problem = t;

t.printStackTrace();

}

}else{

httpResponse.sendRedirect("login.jsp");

return;

}

This code in debug mode just run in infinite times, basicly i want to redirect the user to the login.jsp when he is not logged in.

Any answer appreciated.

解决方案

Here,

httpResponse.sendRedirect("login.jsp");

you're sending a new HTTP request for the target page instead of using the current request for it. This new HTTP request would of course hit the filter once again if it's been mapped on an overly generic URL pattern, such as /*. And the same checks would be performed and it would be redirected again. Etcetera. This is a neverending story.

You need to add an extra check to perform FilterChain#doFilter() as well when the currently requested page is the login page.

String loginURL = httpRequest.getContextPath() + "/login.jsp";

if (httpRequest.getRequestURI().equals(loginURL)) || session.getAttribute("userName") != null) {

chain.doFilter(request, response);

} else {

httpResponse.sendRedirect(loginURL);

}

Note that I also removed the nonsensicial check on the empty string as username (you'd however ensure that your code is nowhere setting an empty string as username. Just use null to represent a non-logged-in user. Also note that I fixed the redirect URL as well, because it would have failed when the currently requested URL is in a subfolder.

A different alternative is to put all those restricted pages in a common subfolder, such as /app, /secured, /restricted, etc and then map the filter on an URL pattern of /app/*, /secured/*, /restricted/*, etc instead. If you keep the login page outside this folder, then the filter won't be invoked when the login page is been requested.