让一个页面不被非登录用户访问的方法
场景:
- 我现在有个登录页面,登录成功之后跳到管理页面。
- 如果我现在直接绕过登录页面页面,那是不是会很不安全?
- 所以我们就要判断用户是否有绕过登录的权限。
做权限判断的3种方法:
控制单个页面权限
在页面使用session做判断
Login.jsp
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"><html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>Insert title here</title></head><body> <form action="DemoServlet" method="post"> <input type="text" name="username"><p> <input type="text" name="password"> <input type="checkbox" name="rememberMe" value="yes">记住我<br> <input type="submit" value="提交"> </form></body></html>
Servlet.Java
功能:如果匹配帐号成功则分配一个session
import java.io.IOException;import javax.servlet.ServletException;import javax.servlet.annotation.WebServlet;import javax.servlet.http.Cookie;import javax.servlet.http.HttpServlet;import javax.servlet.http.HttpServletRequest;import javax.servlet.http.HttpServletResponse;import javax.servlet.http.HttpSession;/** * Servlet implementation class DemoServlet */@WebServlet("/DemoServlet")public class DemoServlet extends HttpServlet { private static final long serialVersionUID = 1L; /** * @see HttpServlet#HttpServlet() */ public DemoServlet() { super(); } /** * @see HttpServlet#doGet(HttpServletRequest request, HttpServletResponse * response) */ protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { HttpSession session = request.getSession(); String username = request.getParameter("username"); String password = request.getParameter("password"); if (username.equals("admin") && password.equals("123456")) { session.setAttribute("isLogin", "yes"); session.setAttribute("username", username); if(request.getParameter("rememberMe") != null){ Cookie cookie = new Cookie("username",username); response.addCookie(cookie); } request.getRequestDispatcher("admin/manager.jsp").forward(request, response); } else { if (session.getAttribute("username") == null) { response.sendRedirect("login.jsp"); } else { request.getRequestDispatcher("admin/manager.jsp").forward(request, response); } } } /** * @see HttpServlet#doPost(HttpServletRequest request, HttpServletResponse * response) */ protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { doGet(request, response); }}
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
- 32
- 33
- 34
- 35
- 36
- 37
- 38
- 39
- 40
- 41
- 42
- 43
- 44
- 45
- 46
- 47
- 48
- 49
- 50
- 51
- 52
- 53
- 54
- 55
- 56
- 57
- 58
- 59
- 60
- 61
- 62
- 63
- 64
- 65
- 66
- 67
- 68
- 69
- 70
- 71
- 72
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
- 32
- 33
- 34
- 35
- 36
- 37
- 38
- 39
- 40
- 41
- 42
- 43
- 44
- 45
- 46
- 47
- 48
- 49
- 50
- 51
- 52
- 53
- 54
- 55
- 56
- 57
- 58
- 59
- 60
- 61
- 62
- 63
- 64
- 65
- 66
- 67
- 68
- 69
- 70
- 71
- 72
登录成功之后的manager.jsp
页面
session.getAttribute(“username”) 为空 ,表示用户在登录的时候是失败的,并没有servlet分配给用户的session,所以这时候
<%@ page language="java" contentType="text/html; charset=UTF-8" pageEncoding="UTF-8"%> <% //让一个页面不被非登录用户访问的方法是,在页面里做session的判断 if(session.getAttribute("username") == null){ System.out.println("转发请求到../login.jsp"); response.sendRedirect("../login.jsp"); } //String username = (String)session.getAttribute("username"); %> <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"><html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>Insert title here</title></head><body>管理员页面!</body></html>
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
控制多个页面权限
场景:
- 如果用session做权限判断时会有很多页面,这时我们就要在每个页面都写上session判断,为了减少代码的冗余,我们可以单独创建一个页面专门处理session逻辑
创建一个空页面专门处理session的判断逻辑,其他页面运行的时候将这个空页面包涵进来即可
checkLogin.jsp
<%@ page language="java" contentType="text/html; charset=UTF-8" pageEncoding="UTF-8"%><% //这个页面只负责处理权限,可以不需要html代码 //如果cookie不为空的话,才会往下执行 if (request.getCookies() != null) { //判断一下客户端来的时候有没有带着rm(rememberMe)这个cookie Cookie cookies[] = request.getCookies(); String username = ""; for (Cookie cookie : cookies) { if (cookie.getName().equals("username")) { username = cookie.getValue(); session.setAttribute("username", username); } } } if (session.getAttribute("username") == null) { System.out.println("转发请求到../login.jsp"); response.sendRedirect("../login.jsp"); } %>
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
在manager.jsp
将checkLogin.jsp
包涵进来即可
<%@ include file=”checkLogin.jsp” %>
<%@ page language="java" contentType="text/html; charset=UTF-8" pageEncoding="UTF-8"%> <%-- 第二种方法:使用<%@include %>,把代码包涵进来 被包涵的代码,首先被加载到当前的页面,然后跟当前页面一起执行 --%><%@ include file="checkLogin.jsp" %><!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"><html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>Insert title here</title></head><body>管理员页面!</body></html>
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
Filter过滤器
在线API文档:
http://tomcat.apache.org/tomcat-5.5-doc/servletapi/javax/servlet/Filter.html
Filter是Java web过滤器
Filter常用的场景
- 1) Authentication Filters 权限过滤器
- 2) Logging and Auditing Filters 日志和审计过滤器
- 3) Image conversion Filters 图片转换过滤器
- 4) Data compression Filters 数据转换
- 5) Encryption Filters 加密
- 6) Tokenizing Filters 词法分析
- 7) Filters that trigger resource access events 资源访问事件触发过滤器
- 8) XSL/T filters xsl/t
- 9) Mime-type chain Filter 文件类型链过滤器
常用的类Filter
javax.servlet.Filter
javax.servlet.FilterConfig
javax.servlet.FilterChain
初始化方法init
public void init(FilterConfig fConfig) throws ServletException { }
销毁方法destroy
public void destroy() { }
过滤方法体doFilter
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { chain.doFilter(request, response);}
登录过滤器
填写类名,过滤的目录
LoginFilter.java
/** * 监控"/admin/*" 下的所有内容 * @see Filter#doFilter(ServletRequest, ServletResponse, FilterChain) */ public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { HttpServletRequest req = (HttpServletRequest) request; HttpServletResponse res = (HttpServletResponse) response; HttpSession session = req.getSession(); if (session.getAttribute("username") == null) { System.out.println("过滤器:username为空,返回到login.jsp页面"); res.sendRedirect("../login.jsp"); } chain.doFilter(request, response); }
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
当直接访问admin/manager.jsp 的时候,过滤器会自动拦截掉
0 0