可以使用拦截器验证对Action的请求。此外,使用空操作声明可以避免对JSP页面的直接请求。就是这样的;
<action name="home" >
<result>home.jsp</result>
</action>
我想验证这个调用JSP页面。我觉得一个简单的方法可以添加一个动作(ActionSupport)和Interceptor来检查动作名称(并使用会话等进行一些验证)。但是我怀疑它是否会降低性能,因为该动作类不执行任何操作而只执行其execute()(无用任务...),并且应该有空动作。(但是:我已经阅读了Struts2上的一些文档,据说即使我们不添加Action calss,框架本身也会添加动作类,因此返回“成功”,添加一个动作或不是自己,不会影响新的)
无论如何,我想知道你最好的方法是验证或授权访问某些JSP页面。(页面数量可以很多......不仅仅是一个jsp页面)
加了:
例如:
可以说,有一些限制页面,所有用户都无法访问,例如用户的帐户页面只能访问登录用户。可以有更多这种类型的页面。如果请求到达此类页面,则必须验证用户。然后,如果请求通过空/匿名操作(如上面的代码snip -only action name-no real class中所述)如何验证此类请求JSP页面?是否应该使用动作类?
答案 0 :(得分:1)
如果您注意保护应用程序的某些部分,以便只有经过身份验证以及授权使用可以访问该部分,那么您有两个选项
基于拦截器的身份验证非常简单。 here是一个如何执行此操作的示例,但不建议将此类身份验证用于基于生产的实际应用程序,因为它实际上非常简单。
如果您正在寻找一个完整的身份验证系统,我建议您查看Spring安全性。它非常简单且可配置,您需要告诉底层弹簧机制所有区域和安全标记以及Spring安全性将拦截它们在您的操作被调用之前,只有成功并且授权操作才会被Spring安全性调用。
答案 1 :(得分:1)
//这是授权
package com.kogent.action;
import java.io.IOException;
import java.util.List;
import java.util.regex.Pattern;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.struts2.dispatcher.Dispatcher;
import org.apache.struts2.dispatcher.mapper.ActionMapping;
import org.apache.struts2.dispatcher.ng.ExecuteOperations;
import org.apache.struts2.dispatcher.ng.InitOperations;
import org.apache.struts2.dispatcher.ng.PrepareOperations;
import org.apache.struts2.dispatcher.ng.filter.FilterHostConfig;
import org.apache.struts2.dispatcher.ng.filter.StrutsPrepareAndExecuteFilter;
public class SessionController extends StrutsPrepareAndExecuteFilter {
protected PrepareOperations prepare;
protected ExecuteOperations execute;
protected List<Pattern> excludedPatterns = null;
public void init(FilterConfig filterConfig) throws ServletException {
InitOperations init = new InitOperations();
try {
FilterHostConfig config = new FilterHostConfig(filterConfig);
init.initLogging(config);
Dispatcher dispatcher = init.initDispatcher(config);
init.initStaticContentLoader(config, dispatcher);
prepare = new PrepareOperations(filterConfig.getServletContext(),
dispatcher);
execute = new ExecuteOperations(filterConfig.getServletContext(),
dispatcher);
this.excludedPatterns = init.buildExcludedPatternsList(dispatcher);
postInit(dispatcher, filterConfig);
} finally {
init.cleanup();
}
}
/**
* Callback for post initialization
*/
protected void postInit(Dispatcher dispatcher, FilterConfig filterConfig) {
}
public void doFilter(ServletRequest req, ServletResponse res,
FilterChain chain) throws IOException, ServletException {
HttpServletRequest request = (HttpServletRequest) req;
HttpServletResponse response = (HttpServletResponse) res;
try {
prepare.setEncodingAndLocale(request, response);
prepare.createActionContext(request, response);
prepare.assignDispatcherToThread();
if (excludedPatterns != null
&& prepare.isUrlExcluded(request, excludedPatterns)) {
chain.doFilter(request, response);
} else {
request = prepare.wrapRequest(request);
ActionMapping mapping = prepare.findActionMapping(request,
response, true);
if (mapping == null) {
boolean handled = execute.executeStaticResourceRequest(
request, response);
if (!handled) {
chain.doFilter(request, response);
}
} else {
//here you have to identify the whether the user have access to requested resource or not
//allow him if he was access.
//if(someCondition)
execute.executeAction(request, response, mapping);
//else{
//redirect the user how do you want it to be.
ActionMapping modfiedActionMapping = new ActionMapping();
modfiedActionMapping.setName("someActionName");
modfiedActionMapping.setNamespace("someNameSpace");
execute.executeAction(request, response, modfiedActionMapping);
//}
}
}
} finally {
prepare.cleanupRequest(request);
}
}
public void destroy() {
prepare.cleanupDispatcher();
}
}
<filter>
<filter-name>struts2</filter-name>
<filter-class>Point to your customized filter</filter-class>
</filter>