Druid 开启权限校验

Github: https://github.com/alibaba/druid

Druid 的验证方式官网提供了一种根据ip来做访问限制的方式，即allow和deny, 详询 https://github.com/alibaba/druid/wiki/%E9%85%8D%E7%BD%AE_StatViewServlet%E9%85%8D%E7%BD%AE

还有一种方式，即用户名和密码，但是此方法官网没有提及，这个方式也是我看了源码后才知道的，现在分享给大家

首先从web.xml中的servlet出发

 <servlet>        <servlet-name>DruidStatView</servlet-name>        <servlet-class>com.alibaba.druid.support.http.StatViewServlet</servlet-class> </servlet>

打开源码StatViewServlet，  

public class StatViewServlet extends ResourceSerlvet {   // ....}

在跟进源码 ResourceSerlvet

然后在看service方法，这里是处理请求的

 public void service(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {        String contextPath = request.getContextPath();        String servletPath = request.getServletPath();        String requestURI = request.getRequestURI();        response.setCharacterEncoding("utf-8");        if (contextPath == null) { // root context            contextPath = "";        }        String uri = contextPath + servletPath;        String path = requestURI.substring(contextPath.length() + servletPath.length());        if (!isPermittedRequest(request)) {            path = "/nopermit.html";            returnResourceFile(path, uri, response);            return;        }        if ("/submitLogin".equals(path)) {            String usernameParam = request.getParameter(PARAM_NAME_USERNAME);            String passwordParam = request.getParameter(PARAM_NAME_PASSWORD);            if (username.equals(usernameParam) && password.equals(passwordParam)) {                request.getSession().setAttribute(SESSION_USER_KEY, username);                response.getWriter().print("success");            } else {                response.getWriter().print("error");            }            return;        }        if (isRequireAuth() //            && !ContainsUser(request)//            && !("/login.html".equals(path) //                 || path.startsWith("/css")//                 || path.startsWith("/js") //            || path.startsWith("/img"))) {            if (contextPath == null || contextPath.equals("") || contextPath.equals("/")) {                response.sendRedirect("/druid/login.html");            } else {                if ("".equals(path)) {                    response.sendRedirect("druid/login.html");                } else {                    response.sendRedirect("login.html");                }            }            return;        }        if ("".equals(path)) {            if (contextPath == null || contextPath.equals("") || contextPath.equals("/")) {                response.sendRedirect("/druid/index.html");            } else {                response.sendRedirect("druid/index.html");            }            return;        }        if ("/".equals(path)) {            response.sendRedirect("index.html");            return;        }        if (path.indexOf(".json") >= 0) {            String fullUrl = path;            if (request.getQueryString() != null && request.getQueryString().length() > 0) {                fullUrl += "?" + request.getQueryString();            }            response.getWriter().print(process(fullUrl));            return;        }        // find file in resources path        returnResourceFile(path, uri, response);    }

我们注意这2行

 if ("/submitLogin".equals(path)) {

  if (isRequireAuth() //

从着两行看以看出是校验用的，第一个是登录，第二个是确认是否需要验证权限，再来看方法isRequireAuth

public boolean isRequireAuth() {        return this.username != null;    }

此方法仅有1行判断，即用户名不为空即可

在搜索一下username的赋值

原来在servlet初始化时获取的PARAM_NAME_USERNAME，在到上图即可知道参数是loginUsername

在看看登录代码

综合上面的分析在web.xml中配置servlet的初始化参数loginUsername和loginPassword即可

在访问druid的监控页面，会自动转到login.html

本文地址： http://blog.csdn.net/lanmo555/article/details/40107441