Struts2中利用filter、session实现安全访问和身份认证

1、开发环境：

Eclipse软件

JDK 1.7

Apach Tomcat 7

2、通过eclipse创建Dynamic Web Project后,导入相应的Struts2 的jar文件：

3、导入jar包后，创建如下图所示项目相应目录：

   权限说明 
（1） 根目录（WebContent）下的资源,如：index.jsp和login.jsp，允许匿名访问。 
（2） Admin目录下的admin.jsp只允许角色为”admin”的用户访问。 User目录下的user.jsp只允许角色为”user”的用户访问

4、相应的jsp代码如下：

@index.jsp:

<%@ page language="java" contentType="text/html; charset=UTF-8"pageEncoding="UTF-8"%><!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"><html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Insert title here</title></head><body><form name="welcome" action="welcome" method="post"><table><tr><td>welcome to you !</td></tr><tr><td><input value="login" type="submit" /></td></tr></table></form></body></html>

@login.jsp:

<%@ page language="java" contentType="text/html; charset=UTF-8"pageEncoding="UTF-8"%><%String path = request.getContextPath();String basePath = request.getScheme() + "://"+ request.getServerName() + ":" + request.getServerPort()+ path + "/";%><!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"><html><head><base href="<%=basePath%>"><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>Insert title here</title></head><body><form name="login" action="login" method="post"><table><tr><td>用户名</td><td><input name="name" type="text" /></td></tr><tr><td>密码</td><td><input name="password" type="password" /></td></tr><tr><td></td><td><input value="submit" type="submit" /></td></tr></table></form><%=path%><%=request.getRequestURI()%><%=request.getServletPath()%></body></html>

@user.jsp:

<%@ page language="java" contentType="text/html; charset=UTF-8"pageEncoding="UTF-8"%><!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"><html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Insert title here</title></head><body><%String user = (String) session.getAttribute("name");String balance = (String) session.getAttribute("balance");String address = (String) session.getAttribute("address");String tel = (String) session.getAttribute("tel");%><form><table><tr><td>用户名：</td><td><%=user %></td></tr><tr><td>余额：</td><td><%=balance %></td></tr><tr><td>住址：</td><td><%=address %></td></tr><tr><td>电话：</td><td><%=tel %></td></tr></table></form></body></html>

@admin.jsp:

<%@ page language="java" contentType="text/html; charset=UTF-8"    pageEncoding="UTF-8"%><!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"><html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Insert title here</title></head><body><%String user = (String) session.getAttribute("name");String balance = (String) session.getAttribute("balance");String address = (String) session.getAttribute("address");String tel = (String) session.getAttribute("tel");%><form><table><tr><td>用户名：</td><td><%=user %></td></tr><tr><td>余额：</td><td><%=balance %></td></tr><tr><td>住址：</td><td><%=address %></td></tr><tr><td>电话：</td><td><%=tel %></td></tr></table></form></body></html>

@创建用于登陆验证类Login.java：

package com.axb.cheney.filter;import javax.servlet.http.HttpServletRequest;import javax.servlet.http.HttpSession;import org.apache.struts2.interceptor.ServletRequestAware;import com.opensymphony.xwork2.ActionSupport;public class Login extends ActionSupport  implements ServletRequestAware{  private static final long serialVersionUID = 1L;  private String name;  private String password;  private HttpServletRequest request;  public String pass()  {    HttpServletRequest req = this.request;    HttpSession session = req.getSession();    if ((this.name.equals("user1")) && (this.password.equals("password1"))) {      session.setAttribute("name", this.name);      session.setAttribute("balance", "10,000");      session.setAttribute("address", "广东省深圳市福田区购物公园");      session.setAttribute("tel", "12665654856");      System.out.println("login:" + this.name);      return "user";    }if ((this.name.equals("admin")) && (this.password.equals("password2"))) {      session.setAttribute("name", this.name);      session.setAttribute("balance", "9,000");      session.setAttribute("address", "广东省珠海市香洲区北理工");      session.setAttribute("tel", "14956569898");      System.out.println("login:" + this.name);      return "admin";    }    System.out.println("login: fail");    return "failure";  }  public String getName()  {    return this.name;  }  public void setName(String name) {    this.name = name;  }  public String getPassword() {    return this.password;  }  public void setPassword(String password) {    this.password = password;  }  public HttpServletRequest getRequest() {    return this.request;  }  public void setServletRequest(HttpServletRequest request)  {    this.request = request;  }}

@修改Struts.xml文件：

<?xml version="1.0" encoding="UTF-8" ?><!DOCTYPE struts PUBLIC"-//Apache Software Foundation//DTD Struts Configuration 2.3//EN""http://struts.apache.org/dtds/struts-2.3.dtd"><struts><constant name="struts.enable.DynamicMethodInvocation" value="false" /><constant name="struts.devMode" value="true" /><package name="default" namespace="/" extends="struts-default"><default-action-ref name="index" /><global-results><result name="error">/WEB-INF/error.jsp</result></global-results><action name="welcome"><result>/login.jsp </result></action><action name="login" class="com.axb.cheney.filter.Login"method="pass"><result name="failure">/login.jsp </result><result name="user">/user/user.jsp </result><result name="admin">/admin/admin.jsp </result></action></package></struts>

@创建用于拦截验证身份的UserAuthenticationFilter.java

package com.axb.cheney.filter;import java.io.IOException;import javax.servlet.Filter;import javax.servlet.FilterChain;import javax.servlet.FilterConfig;import javax.servlet.ServletException;import javax.servlet.ServletRequest;import javax.servlet.ServletResponse;import javax.servlet.http.HttpServletRequest;import javax.servlet.http.HttpServletResponse;import javax.servlet.http.HttpSession;public class UserAuthenticationFilter  implements Filter{  private static String LOGIN_PAGE = "/login.jsp";  public void destroy()  {  }  public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)    throws IOException, ServletException  {    HttpServletRequest req = (HttpServletRequest)request;    HttpServletResponse res = (HttpServletResponse)response;    String currentUrl = req.getServletPath();    HttpSession session = req.getSession();    System.out.println("UserAuthenticationFilter");    if (currentUrl.equals("")) currentUrl = currentUrl + "/";    if ((currentUrl.startsWith("/")) && (!currentUrl.startsWith("/login.jsp"))) {      String user = (String)session.getAttribute("name");      if (user == null) {        res.sendRedirect(req.getContextPath() + LOGIN_PAGE);        return;      }      if (!user.equals("user1")) {        session.removeAttribute("name");        res.sendRedirect(req.getContextPath() + LOGIN_PAGE);        return;      }    }    chain.doFilter(request, response);  }  public void init(FilterConfig arg0)    throws ServletException  {  }}

@创建用于拦截验证身份的AdminAuthenticationFilter.java

package com.axb.cheney.filter;import java.io.IOException;import javax.servlet.Filter;import javax.servlet.FilterChain;import javax.servlet.FilterConfig;import javax.servlet.ServletException;import javax.servlet.ServletRequest;import javax.servlet.ServletResponse;import javax.servlet.http.HttpServletRequest;import javax.servlet.http.HttpServletResponse;import javax.servlet.http.HttpSession;public class AdminAuthenticationFilter  implements Filter{  private static String LOGIN_PAGE = "/login.jsp";  public void destroy()  {  }  public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)    throws IOException, ServletException  {    HttpServletRequest req = (HttpServletRequest)request;    HttpServletResponse res = (HttpServletResponse)response;    String currentUrl = req.getServletPath();    HttpSession session = req.getSession();    System.out.println("AdminAuthenticationFilter");    if (currentUrl.equals("")) currentUrl = currentUrl + "/";    if ((currentUrl.startsWith("/")) && (!currentUrl.startsWith("/login.jsp"))) {      String user = (String)session.getAttribute("name");      if (user == null) {        res.sendRedirect(req.getContextPath() + LOGIN_PAGE);        return;      }      if (!user.equals("admin")) {        session.removeAttribute("name");        res.sendRedirect(req.getContextPath() + LOGIN_PAGE);        return;      }    }    chain.doFilter(request, response);  }  public void init(FilterConfig arg0)    throws ServletException  {  }}

@最后配置web.xml文件用于过滤admin和user目录下的资源访问

<?xml version="1.0" encoding="UTF-8"?><web-app id="WebApp_9" version="2.4" xmlns="http://java.sun.com/xml/ns/j2ee"xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd"><display-name>SAML</display-name><welcome-file-list><welcome-file>index.jsp</welcome-file></welcome-file-list> <filter><filter-name>struts2</filter-name><filter-class>org.apache.struts2.dispatcher.ng.filter.StrutsPrepareAndExecuteFilter</filter-class></filter><filter-mapping><filter-name>struts2</filter-name><url-pattern>/*</url-pattern></filter-mapping> <filter><filter-name>UserAuthentication</filter-name><filter-class>com.axb.cheney.filter.UserAuthenticationFilter</filter-class></filter><filter-mapping><filter-name>UserAuthentication</filter-name><url-pattern>/user/*</url-pattern></filter-mapping><filter><filter-name>AdminAuthentication</filter-name><filter-class>com.axb.cheney.filter.AdminAuthenticationFilter</filter-class></filter><filter-mapping><filter-name>AdminAuthentication</filter-name><url-pattern>/admin/*</url-pattern></filter-mapping></web-app>

5、测试结果如下：

@当第一次运行tomcat时，页面显示index.jsp主界面，如图1所示。

当点击页面<login>按钮，页面将调转到图2所示用户登陆页面。

图1

图2

@当你想通过直接访问user资源时，如图3所示，输入资源相应路径时，访问User子目录的任何资源，

都将被UserAuthenticationFilter捕获。UserAuthenticationFilter对请求进行验证，检查session中是否

有正确的登录信息，是否有相应的权限。如果通过了验证，允许访问，否则不允许访问，向客户端浏

览器返回login.jsp，让用户进行登录。

图3

图4

@当验证正确时，页面显示请求的相应内容，如图5所示

图5