我使用GWT + requestfacotry(MVP)+ GAE创建了一个应用程序。有一些服务或方法暴露给GWT客户端,例如
1.create 2.remove 3.query
我想将授权功能添加到“创建”和“删除”,但不是“查询”。 我用servlet过滤器做到了:
public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse,
FilterChain filterChain) throws IOException, ServletException {
UserService userService = UserServiceFactory.getUserService();
HttpServletRequest request = (HttpServletRequest) servletRequest;
HttpServletResponse response = (HttpServletResponse) servletResponse;
if (!userService.isUserLoggedIn()) {
response.setHeader("login", userService.createLoginURL(request.getHeader("pageurl")));
// response.setHeader("login", userService.createLoginURL(request.getRequestURI()));
response.sendError(HttpServletResponse.SC_UNAUTHORIZED);
return;
}
filterChain.doFilter(request, response);
}
我的问题是如何确定哪些请求(我的意思是请求将路由到哪个类和服务)进来?有一些头字段包含模块名称,但我不是安全方法。 是否可以从http请求中获取RequestFacotry相关类?
谢谢
答案 0 :(得分:2)
在servlet-filter中很难做到这一点。相反,您可以在RF ServiceLayerDecorator链中提供自定义装饰器。实现可能如下所示:
import com.google.web.bindery.requestfactory.server.ServiceLayerDecorator;
public class SecurityDecorator extends ServiceLayerDecorator {
@Override
public Object invoke( Method domainMethod, Object... args ) {
if ( !isAllowed( domainMethod) ) {
handleSecurityViolation();
}
return super.invoke( domainMethod, args );
}
}
要注册其他装饰器,请提供自定义RF servlet:
import com.google.web.bindery.requestfactory.server.RequestFactoryServlet;
public class SecurityAwareRequestFactoryServlet extends RequestFactoryServlet {
public SecurityAwareRequestFactoryServlet() {
super( new DefaultExceptionHandler(), new SecurityDecorator() );
}
}
并在web.xml中注册:
<servlet>
<servlet-name>gwtRequest</servlet-name>
<servlet-class>com.company.SecurityAwareRequestFactoryServlet</servlet-class>
</servlet>