使用Filter控制用户登录权限

学jsp这么长时间，做的项目也有七八个了，可所有的项目都是用户登录就直接跳转到其拥有权限的页面，或者显示可访问页面的链接。使用这种方式来幼稚地控制访问权限。从来没有想过如果我没有登录，直接输入地址也可以直接访问用户的页面的。

在jsp中权限的控制是通过Filter过滤器来实现的，所有的开发框架中都集成有Filter，如果不适用开发框架则有如下实现方法：

LoginFilter.java

public class LoginFilter implements Filter {

    private String permitUrls[] = null;

    private String gotoUrl = null;

 

    public void destroy() {

        // TODO Auto-generated method stub

        permitUrls = null;

        gotoUrl = null;

    }

 

    public void doFilter(ServletRequest request, ServletResponse response,

            FilterChain chain) throws IOException, ServletException {

        // TODO Auto-generated method stub

        HttpServletRequest res=(HttpServletRequest) request;

        HttpServletResponse resp=(HttpServletResponse)response;

         

        if(!isPermitUrl(request)){

            if(filterCurrUrl(request)){

                System.out.println("--->请登录");

                resp.sendRedirect(res.getContextPath()+gotoUrl);

                return;

            }

        }

        System.out.println("--->允许访问");

        chain.doFilter(request, response);

    }

 

     

    public boolean filterCurrUrl(ServletRequest request){

         

        boolean filter=false;

        HttpServletRequest res=(HttpServletRequest) request;

        User user =(User) res.getSession().getAttribute("user");

        if(null==user)

            filter=true;

         

        return filter;

         

    }

     

    public boolean isPermitUrl(ServletRequest request) {

        boolean isPermit = false;

        String currentUrl = currentUrl(request);

 

        if (permitUrls != null && permitUrls.length > 0) {

            for (int i = 0; i < permitUrls.length; i++) {

                if (permitUrls[i].equals(currentUrl)) {

                    isPermit = true;

                    break;

                }

            }

        }

        return isPermit;

    }

     

    //请求地址

    public String currentUrl(ServletRequest request) {

 

        HttpServletRequest res = (HttpServletRequest) request;

        String task = request.getParameter("task");

        String path = res.getContextPath();

        String uri = res.getRequestURI();

        if (task != null) {// uri格式 xx/ser

            uri = uri.substring(path.length(), uri.length()) + "?" + "task="

                    + task;

        } else {

            uri = uri.substring(path.length(), uri.length());

        }

        System.out.println("当前请求地址:" + uri);

        return uri;

    }

 

    public void init(FilterConfig filterConfig) throws ServletException {

        // TODO Auto-generated method stub

        String permitUrls = filterConfig.getInitParameter("permitUrls");

        String gotoUrl = filterConfig.getInitParameter("gotoUrl");

 

        this.gotoUrl = gotoUrl;

 

        if (permitUrls != null && permitUrls.length() > 0) {

            this.permitUrls = permitUrls.split(",");

        }

    }

 

}

Web.xml

<filter>

    <filter-name>loginFilter</filter-name>

    <filter-class>filter.LoginFilter</filter-class>

 

    <init-param>

        <param-name>ignore</param-name>

        <param-value>false</param-value>

    </init-param>

    <init-param>

        <param-name>permitUrls</param-name>

        <param-value>/,/servlet/Loginservlet?task=login,/public.jsp,/login.jsp</param-value>

    </init-param>

    <init-param>

        <param-name>gotoUrl</param-name>

        <param-value>/login.jsp</param-value>

    </init-param>

</filter>

<filter-mapping>

    <filter-name>loginFilter</filter-name>

    <url-pattern>/*</url-pattern>

</filter-mapping>

关于Filter配置和原理不懂得可以查看本站文章：Web过滤器Filter的原理与创建 | X-Dang http://xdang.org/post-491.html

这短代码主要实现了用户登录的过滤，权限过滤原理相同。只需要把判断用户是否登录换成是否有权限就可以了！