1、有选择的被访问
描述:首先若用户没有在页面提交注册(直接访问list.jsp),就只能被允许访问a.jsp。其他页面均不被允许访问
在login.jsp提交信息之后,可以在b.jsp访问,
代码如下:
创建留个页面(login.jsp、list.jsp、a.jsp、b.jsp、c.jsp、d.jsp),这里就不写了,可以参考全部代码(在本文的最后面有链接)
创建Logservlet去处理登入后的逻辑处理
package com.gqx.login;
import java.io.IOException;
import java.io.PrintWriter;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
public class LogServlet extends HttpServlet {
public void doGet(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
String name=request.getParameter("user");
if (name!=null && name!="") {
request.getSession().setAttribute("user", name);
response.sendRedirect(request.getContextPath()+"/login/list.jsp");
}else {
response.sendRedirect(request.getContextPath()+"/login/login.jsp");
}
}
public void doPost(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
this.doGet(request, response);
}
}
然后是最重要的Filter过滤器了,这里对权限的设置实在web.xml里面配置实现的,如下
<!-- 用户信息放入到session中的关键字 --> <context-param> <param-name>userSession</param-name> <param-value>USERSISSION</param-value> </context-param> <!-- 未登入,需重定向的页面 --> <context-param> <param-name>rediretPage</param-name> <param-value>/login/login.jsp</param-value> </context-param> <!-- 不需要拦截或检查的url,可以被外界直接访问的--> <context-param> <param-name>uncheckedUrl</param-name> <param-value>/login/a.jsp,/login/list.jsp,/login/login.jsp,/LogServlet</param-value> </context-param> <filter> <filter-name>LoginFilter</filter-name> <filter-class>com.gqx.login.LoginFilter</filter-class> </filter> <filter-mapping> <filter-name>LoginFilter</filter-name> <url-pattern>/login/*</url-pattern> </filter-mapping>
接着是根据xml里面的配置去做有选择性的去做过滤
package com.gqx.login;
import java.io.IOException;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.List;
import javax.jms.Session;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletContext;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
public class LoginFilter implements Filter {
private String userSession;
private String rediretPage;
private String uncheckedUrl;
@Override
public void init(FilterConfig arg0) throws ServletException {
// TODO Auto-generated method stub
ServletContext servletContext=arg0.getServletContext();
userSession=servletContext.getInitParameter("userSession");
rediretPage=servletContext.getInitParameter("rediretPage");
uncheckedUrl=servletContext.getInitParameter("uncheckedUrl");
}
@Override
public void destroy() {
// TODO Auto-generated method stub
}
@Override
public void doFilter(ServletRequest arg0, ServletResponse arg1,
FilterChain arg2) throws IOException, ServletException {
// TODO Auto-generated method stub
HttpServletRequest request=(HttpServletRequest)arg0;
HttpServletResponse response=(HttpServletResponse)arg1;
//1、获取来的请求的URL
String requestUrl=request.getRequestURL().toString(); // http://localhost:8080/FilterDemo/login/login.jsp
String requestUri=request.getRequestURI().toString();// /FilterDemo/login/login.jsp
String servletPath=request.getServletPath();// /login/login.jsp
//2、检查1获取的servletPath是否为不需要检查的URL中的而一个
List<String> urls=Arrays.asList(uncheckedUrl.split(","));
if (urls.contains(servletPath)) {
arg2.doFilter(request, response);
return;
}
//3、从session中获取userSession,判断值是否存在
Object user=request.getSession().getAttribute("user");
if (user==null) {
response.sendRedirect(request.getContextPath()+rediretPage);
return;
}
//4、存在,就允许访问
arg2.doFilter(request, response);
}
}
根据以上的代码就可以实现那些功能了。
(2)、管理权限的去访问
问题描述:通过设置允许用户去访问某些页面,若设置某用户可以访问某些页面,提交之后,去登入,在列表页根据用户的权限去及时的反应。(由于没有存数据库,本地自己自己认为的加上了两个用户AAA和BBB)
权限修改之后,提交,再去login.jsp去访问,输入用户,便可以去访问相对应权限的文章
实现代码
(1)、首先两个javaBean。User(用于管理其对应的名字和所有的权限)和Authority类(每一个权限以及他的url,通过url去访问其文章)。
package com.gqx.demo1;
import java.util.List;
// 封装用户信息: User
public class User {
private String username;
private List<Authority> authorities;
public String getUsername() {
return username;
}
public void setUsername(String username) {
this.username = username;
}
public List<Authority> getAuthorities() {
return authorities;
}
public void setAuthorities(List<Authority> authorities) {
this.authorities = authorities;
}
public User(String username, List<Authority> authorities) {
super();
this.username = username;
this.authorities = authorities;
}
public User() {
// TODO Auto-generated constructor stub
}
}
package com.gqx.demo1;
public class Authority {
//显示到页面上的权限的名字
private String displayName;
//权限对应的 URL 地址: 已权限对应着一个 URL, 例如 Article-1 -> /article-1.jsp
private String url;
public String getDisplayName() {
return displayName;
}
public void setDisplayName(String displayName) {
this.displayName = displayName;
}
public String getUrl() {
return url;
}
public void setUrl(String url) {
this.url = url;
}
public Authority(String displayName, String url) {
super();
this.displayName = displayName;
this.url = url;
}
public Authority() {
// TODO Auto-generated constructor stub
}
@Override
public int hashCode() {
final int prime = 31;
int result = 1;
result = prime * result + ((url == null) ? 0 : url.hashCode());
return result;
}
@Override
public boolean equals(Object obj) {
if (this == obj)
return true;
if (obj == null)
return false;
if (getClass() != obj.getClass())
return false;
Authority other = (Authority) obj;
if (url == null) {
if (other.url != null)
return false;
} else if (!url.equals(other.url))
return false;
return true;
}
}
用户权限的管理(UserDao)
package com.gqx.demo1;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
//用户的权限管理,获取和修改操作
public class UserDao {
private static Map<String, User> users; //用户所有的权限
private static List<Authority> authorities =null; //权限的种类
static{
//在authorities中一共有多少种权限
authorities=new ArrayList<Authority>();
authorities.add(new Authority("Article-1", "/article-1.jsp"));
authorities.add(new Authority("Article-2", "/article-2.jsp"));
authorities.add(new Authority("Article-3", "/article-3.jsp"));
authorities.add(new Authority("Article-4", "/article-4.jsp"));
users=new HashMap<String, User>();
User user1=new User("AAA",authorities.subList(0, 2)); //sublist:左闭右关
users.put("AAA", user1);
User user2=new User("BBB",authorities.subList(2,4)); //sublist:左闭右关
users.put("BBB", user2);
}
//获取用户的全部信息
User get(String username){
return users.get(username);
}
//修改用户的信息
void update(String name,List<Authority> authorities){
users.get(name).setAuthorities(authorities);
}
//获取所有的Authorities(一共有多少种authority)
public static List<Authority> getAuthorities() {
return authorities;
}
public List<Authority> getAuthorities(String[] urls) {
List<Authority> authorities2 = new ArrayList<>();
for(Authority authority: authorities){
if(urls != null){
for(String url: urls){
if(url.equals(authority.getUrl())){
authorities2.add(authority);
}
}
}
}
return authorities2;
}
}
还有两个servlet,第一个是处理用户权限的访问(显示登入者所有的权限)以及修改其对应的权限
package com.gqx.demo1;
import java.io.IOException;
import java.io.PrintWriter;
import java.lang.reflect.InvocationTargetException;
import java.lang.reflect.Method;
import java.util.ArrayList;
import java.util.List;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
public class AuthorityServlet extends HttpServlet {
private static final long serialVersionUID = 1L;
public void doGet(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
String methodName=request.getParameter("method");
//为了让一个servlet响应多个请求,这里可以使用反射
try {
Method method=getClass().getMethod(methodName, HttpServletRequest.class,HttpServletResponse.class);
method.invoke(this, request,response);
} catch (Exception e) {
// TODO Auto-generated catch block
e.printStackTrace();
}
}
public void doPost(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
this.doGet(request, response);
}
private UserDao userDao=new UserDao();
//获取用户所有的信息
public void getAuthorities(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
String userName=request.getParameter("username");
User user =userDao.get(userName);
request.setAttribute("user", user);
request.setAttribute("authorities", userDao.getAuthorities());
request.getRequestDispatcher("/authority-manager.jsp").forward(request, response);
}
public void updateAuthority(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
String username = request.getParameter("username");
String [] authorities = request.getParameterValues("authority");
List<Authority> authorityList = userDao.getAuthorities(authorities);
userDao.update(username, authorityList);
response.sendRedirect(request.getContextPath() + "/authority-manager.jsp");
}
}
另一个是登入的servlet(主要是完成登入和注销的功能)
package com.gqx.demo1;
import java.io.IOException;
import java.io.PrintWriter;
import java.lang.reflect.Method;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
public class LoginServlet extends HttpServlet {
private static final long serialVersionUID = 1L;
public void doGet(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
String methodName=request.getParameter("method");
//为了让一个servlet响应多个请求,这里可以使用反射
try {
Method method=getClass().getMethod(methodName, HttpServletRequest.class,HttpServletResponse.class);
method.invoke(this, request,response);
} catch (Exception e) {
// TODO Auto-generated catch block
e.printStackTrace();
}
}
public void doPost(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
this.doGet(request, response);
}
private UserDao userDao=new UserDao();
public void login(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
//1、获取用户的username
String name=request.getParameter("name");
//2、调用userDao获取信息,把用户信息放入到session中,
User user=userDao.get(name);
request.getSession().setAttribute("user", user);
//3、重定向到article.jsp
response.sendRedirect(request.getContextPath()+"/articles.jsp");
}
public void logout(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
//1. 获取 HttpSession
//2. 使 HttpSession 失效
request.getSession().invalidate();
//3. 重定向到 /loign.jsp
response.sendRedirect(request.getContextPath() + "/login.jsp");
}
}
最后是最重要的过滤器了,指定了哪些情况下是可以去访问哪些资源的,以及如何处理没有权限的访问。这里如果没有权限,则会统一去到一个页面(403.jsp)。
package com.gqx.demo1;
import java.io.IOException;
import java.util.Arrays;
import java.util.List;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
public class AuthorityFilter implements Filter {
@Override
public void destroy() {
// TODO Auto-generated method stub
}
@Override
public void doFilter(ServletRequest arg0, ServletResponse arg1,
FilterChain filterChain) throws IOException, ServletException {
// TODO Auto-generated method stub
HttpServletRequest request=(HttpServletRequest)arg0;
HttpServletResponse response=(HttpServletResponse)arg1;
// - 获取 servletPath, 类似于 /app_3/article1.jsp
String servletPath = request.getServletPath();
//不需要被拦截的 url 列表.
List<String> uncheckedUrls = Arrays.asList("/403.jsp", "/articles.jsp",
"/authority-manager.jsp", "/login.jsp", "/logout.jsp");
if(uncheckedUrls.contains(servletPath)){
filterChain.doFilter(request, response);
return;
}
// - 在用户已经登录(可使用 用户是否登录 的过滤器)的情况下, 获取用户信息. session.getAttribute("user")
User user = (User)request.getSession().getAttribute("user");
if(user == null){
response.sendRedirect(request.getContextPath() + "/login.jsp");
return;
}
// - 再获取用户所具有的权限的信息: List<Authority>
List<Authority> authorities = user.getAuthorities();
// - 检验用户是否有请求 servletPath 的权限: 可以思考除了遍历以外, 有没有更好的实现方式
Authority authority = new Authority(null, servletPath);
// - 若有权限则: 响应
if (authorities.contains(authority)) {
filterChain.doFilter(request, response);
return;
}
// - 若没有权限: 重定向到 403.jsp
response.sendRedirect(request.getContextPath() + "/403.jsp");
return;
}
@Override
public void init(FilterConfig arg0) throws ServletException {
// TODO Auto-generated method stub
}
}
其他的html代码,在文中最后部分有下载