10月24日<java web 中Filter的使用>
案例:使用Filter验证用户登录安全控制
<filter> <filter-name>SessionFilter</filter-name> <filter-class>com.action.login.SessionFilter</filter-class> <init-param> <param-name>logonStrings</param-name><!-- 对登录页面不进行过滤 --> <param-value>/project/index.jsp;login.do</param-value> </init-param> <init-param> <param-name>includeStrings</param-name><!-- 只对指定过滤参数后缀进行过滤 --> <param-value>.do;.jsp</param-value> </init-param> <init-param> <param-name>redirectPath</param-name><!-- 未通过跳转到登录界面 --> <param-value>/index.jsp</param-value> </init-param> <init-param> <param-name>disabletestfilter</param-name><!-- Y:过滤无效 --> <param-value>N</param-value> </init-param> </filter> <filter-mapping> <filter-name>SessionFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping>
package com.action.login; import java.io.IOException; import javax.servlet.Filter; import javax.servlet.FilterChain; import javax.servlet.FilterConfig; import javax.servlet.ServletException; import javax.servlet.ServletRequest; import javax.servlet.ServletResponse; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import javax.servlet.http.HttpServletResponseWrapper; /** * 判断用户是否登录,未登录则退出系统 */ public class SessionFilter implements Filter { public FilterConfig config; public void destroy() { this.config = null; } public static boolean isContains(String container, String[] regx) { boolean result = false; for (int i = 0; i < regx.length; i++) { if (container.indexOf(regx[i]) != -1) { return true; } } return result; } public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { HttpServletRequest hrequest = (HttpServletRequest)request; HttpServletResponseWrapper wrapper = new HttpServletResponseWrapper((HttpServletResponse) response); String logonStrings = config.getInitParameter("logonStrings"); // 登录登陆页面 String includeStrings = config.getInitParameter("includeStrings"); // 过滤资源后缀参数 String redirectPath = hrequest.getContextPath() + config.getInitParameter("redirectPath");// 没有登陆转向页面 String disabletestfilter = config.getInitParameter("disabletestfilter");// 过滤器是否有效 if (disabletestfilter.toUpperCase().equals("Y")) { // 过滤无效 chain.doFilter(request, response); return; } String[] logonList = logonStrings.split(";"); String[] includeList = includeStrings.split(";"); if (!this.isContains(hrequest.getRequestURI(), includeList)) {// 只对指定过滤参数后缀进行过滤 chain.doFilter(request, response); return; } if (this.isContains(hrequest.getRequestURI(), logonList)) {// 对登录页面不进行过滤 chain.doFilter(request, response); return; } String user = ( String ) hrequest.getSession().getAttribute("useronly");//判断用户是否登录 if (user == null) { wrapper.sendRedirect(redirectPath); return; }else { chain.doFilter(request, response); return; } } public void init(FilterConfig filterConfig) throws ServletException { config = filterConfig; } }
几点说明:1.request.getContextPath()得到的是web应用的路径,(e.g /MyTest);所以在实际应用中常常用这种方法先得到这个web应用的路径。这样方便进行移植
2.这里面对响应的处理利用了装饰者模式,也就是在HttpServletResponse外面加了一层外衣。底层的实现还是委托给了被包装的HttpServletResponse 对象上。在这个例子中其实没有必要这样包装一下。以为仅仅进行了一个转向。但是如果要在过滤器中对响应进行一番处理的情况下。这个包装就必不可少,否则响应就会直接返回容器,而不是沿着chains层层弹栈再回到浏览器。比如要对响应的内容进行压缩,这时就如上做一个包装。就可以达到先返回过滤器再回到容器的操作。具体的实现代码看《head first servlet&jsp》p690-p694