安全检查过滤器

 使用说明：

本项目的结构如下图所示:

      过滤声明：admin用户能够访问admin目录，manager目录，norestriction目录和根目录下的所有资源，manager用户具有除了admin目录外所有资源的权限，非登陆用户可以访问norestriction目录和根目录下的所有资源。login.jsp用于用户登录，list.jsp列出课访问的Web资源,当没有权限访问某些资源时，显示403.jsp网页

 代码：

 login.jsp

<%@ page language="java" contentType="text/html; charset=UTF-8"    pageEncoding="UTF-8"%><!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"><html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>登录页面</title></head><body><form action="Login" method="post"><br><br><span style="color:red">${ message }</span> <br><br>用户：<input id="user" name="user" type="text"/><br>密码：<input id="pwd" name="pwd" type="password"/><br><input type="submit" id="submit" value="提交"/><br><br><h3>用户有admin和manager，密码都是123</h3></form></body></html>

list.jsp

<%@ page language="java" contentType="text/html; charset=UTF-8"    pageEncoding="UTF-8"%><!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"><html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>资源列表页面</title></head><body><br><br>登录用户: ${ sessionScope.user }<br><br><a href="admin/index.jsp">admin页面</a><br><a href="manager/index.jsp">manager页面</a><br><a href="norestriction/index.jsp">norestriction页面</a><br><br><a href="login.jsp">登录</a><br><a href="LoginOut">登出</a><br></body></html>

403.jsp

<%@ page language="java" contentType="text/html; charset=UTF-8"    pageEncoding="UTF-8"%><!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"><html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>403错误页面</title></head><body><br><br>对不起，您没有对应权限！请<a href="list.jsp">返回</a></body></html>

index.jsp

<%@ page language="java" contentType="text/html; charset=UTF-8"    pageEncoding="UTF-8"%><!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"><html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>admin页面</title></head><body><h3>欢迎${sessionScope.user }大驾光临！</h3></body></html>

Login.java

package com.servlet;import java.io.IOException;import java.util.Enumeration;import javax.servlet.ServletContext;import javax.servlet.ServletException;import javax.servlet.annotation.WebServlet;import javax.servlet.http.HttpServlet;import javax.servlet.http.HttpServletRequest;import javax.servlet.http.HttpServletResponse;import javax.servlet.http.HttpSession;import javax.servlet.http.HttpSessionContext;public class Login extends HttpServlet {private static final long serialVersionUID = 1L;    public Login() {        super();        // TODO Auto-generated constructor stub    }protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {// TODO Auto-generated method stubdoPost(request, response);}protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {// TODO Auto-generated method stubrequest.setCharacterEncoding("UTF-8");String user=request.getParameter("user");String pwd=request.getParameter("pwd"); // 比对用户名和密码     // 这里采用硬编码，在实际应用时可改为比对数据库用户表信息 if(user==null || (!"admin".equals(user) && !"manager".equals(user))){request.setAttribute("message", "用户名或密码错误！");request.getRequestDispatcher("/login.jsp").forward(request, response);return ;}if (pwd == null || !"123".equals(pwd)) {request.setAttribute("message", "用户名或密码错误！");                request.getRequestDispatcher("/login.jsp").forward(request, response);  return;}//获取会话对象HttpSession session=request.getSession();// 将登录用户放到Session中session.setAttribute("user", user);response.sendRedirect("list.jsp");}}

LoginOut.java

package com.servlet;import java.io.IOException;import javax.servlet.ServletException;import javax.servlet.annotation.WebServlet;import javax.servlet.http.HttpServlet;import javax.servlet.http.HttpServletRequest;import javax.servlet.http.HttpServletResponse;public class LoginOut extends HttpServlet {private static final long serialVersionUID = 1L;    public LoginOut() {        super();        // TODO Auto-generated constructor stub    }protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {// TODO Auto-generated method stubdoPost(request, response);}protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {// TODO Auto-generated method stub//登出request.getSession().invalidate();response.sendRedirect(request.getContextPath()+"/login.jsp");}}

CheckRightsFilter.java

package com.filter;import java.io.IOException;import javax.servlet.Filter;import javax.servlet.FilterChain;import javax.servlet.FilterConfig;import javax.servlet.ServletException;import javax.servlet.ServletRequest;import javax.servlet.ServletResponse;import javax.servlet.annotation.WebFilter;import javax.servlet.http.HttpServletRequest;import javax.servlet.http.HttpServletResponse;public class CheckRightsFilter implements Filter {    public CheckRightsFilter() {        // TODO Auto-generated constructor stub    }public void destroy() {// TODO Auto-generated method stub}public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {// TODO Auto-generated method stubHttpServletRequest httprequest=(HttpServletRequest)request;HttpServletResponse httpresponse=(HttpServletResponse)response;//搜索各种PathString contextPath=httprequest.getContextPath();String servletPath=httprequest.getServletPath();String user=(String)httprequest.getSession().getAttribute("user");//判断admin权限if(servletPath.startsWith("/admin")){if(user==null || !"admin".equals(user)){httpresponse.sendRedirect(contextPath+"/403.jsp");return ;}}//判断manager权限if(servletPath.startsWith("/manager")){if(user==null || (!"manager".equals(user) &&!"admin".equals(user))){httpresponse.sendRedirect(contextPath+"/403.jsp");return ;}}chain.doFilter(request, response);}public void init(FilterConfig fConfig) throws ServletException {// TODO Auto-generated method stub}}

截图：

      （登陆和退出登录后的页面）

                  （admin用户登录---所有页面的权限）

                                          (manager用户权限：可以访问除admin外所有页面)

                                           (manager用户访问admin目录下的页面时，显示错误)