我是网络编程的新手。我问一个常见的模式来做一些事情,比如检查身份验证。这是场景:
该网站有一个访问者登录页面。它将使用用户名和加密密码并将其发送到服务器,然后从服务器获取错误代码(用户名/密码不匹配)或auth密钥。当用户成功登录时,我希望网站自动跳转到显示网站主要功能的main.jsp页面。
在这种情况下,我希望main.jsp检查用户身份验证。也就是说,我不希望这样的事情发生,比如用户可以直接打开www.example.com/main.jsp,如果他们做了这样的事情,我想将它们重定向到登录页面。
那么我怎么能跨页面传递身份验证信息呢?如何在没有登录的情况下阻止用户直接访问main.jsp?我需要使用会话还是其他什么?
答案 0 :(得分:15)
您可以尝试使用过滤器:
过滤器可以在请求到达servlet之前对其进行预处理, 后处理离开servlet的响应,或两者兼而有之。 过滤器可以拦截,检查和修改请求和响应。
注意:请务必在用户登录后添加会话属性,您可以在过滤器上使用该会话属性
login.jsp 上的添加:
session.setAttribute("LOGIN_USER", user);
//user entity if you have or user type of your user account...
//if not set then LOGIN_USER will be null
<强>的web.xml
<filter>
<filter-name>SessionCheckFilter</filter-name>
<filter-class>yourjavapackage.SessionCheckFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>SessionCheckFilter</filter-name>
<!--url-pattern>/app/*</url-pattern-->
<url-pattern>/main.jsp</url-pattern> <!-- url from where you implement the filtering -->
</filter-mapping>
<强> SessionCheckFilter.java
public class SessionCheckFilter implements Filter {
private String contextPath;
@Override
public void init(FilterConfig fc) throws ServletException {
contextPath = fc.getServletContext().getContextPath();
}
@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain fc) throws IOException, ServletException {
HttpServletRequest req = (HttpServletRequest) request;
HttpServletResponse res = (HttpServletResponse) response;
if (req.getSession().getAttribute("LOGIN_USER") == null) { //checks if there's a LOGIN_USER set in session...
res.sendRedirect(contextPath + "/login.jsp"); //or page where you want to redirect
} else {
String userType = (String) req.getSession().getAttribute("LOGIN_USER");
if (!userType.equals("ADMIN")){ //check if user type is not admin
res.sendRedirect(contextPath + "/login.jsp"); //or page where you want to
}
fc.doFilter(request, response);
}
}
@Override
public void destroy() {
}
}
答案 1 :(得分:5)
JSP页面应如何检查身份验证
不应该。您应该使用容器管理身份验证,并通过URL模式在web.xml中定义登录/安全性。
Glen Best添加:
E.g。将这样的内容添加到web.xml:
<security-constraint>
<display-name>GET: Employees Only</display-name>
<web-resource-collection>
<web-resource-name>Restricted Get</web-resource-name>
<url-pattern>/restricted/employee/*</url-pattern>
<http-method>GET</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>Employee</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
答案 2 :(得分:0)
这对我也有用
<filter>
<filter-name>SessionCheckFilter</filter-name>
<filter-class>yourjavapackage.SessionCheckFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>SessionCheckFilter</filter-name>
<!--url-pattern>/app/*</url-pattern-->
<url-pattern>/main.jsp</url-pattern> <!-- url from where you implement the filtering -->
</filter-mapping>
public class SessionCheckFilter implements Filter {
private String contextPath;
@Override
public void init(FilterConfig fc) throws ServletException {
contextPath = fc.getServletContext().getContextPath();
}
@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain fc) throws IOException, ServletException {
HttpServletRequest req = (HttpServletRequest) request;
HttpServletResponse res = (HttpServletResponse) response;
if (req.getSession().getAttribute("LOGIN_USER") == null) { //checks if there's a LOGIN_USER set in session...
req.getRequestDispatcher("login.jsp").forward(req, resp); //or page where you want to redirect
} else {
String userType = (String) req.getSession().getAttribute("LOGIN_USER");
if (userType.equals("ADMIN")){ //check if user type is admin
fc.doFilter(request, response); it redirected towards main.jsp
}
}
}
@Override
public void destroy() {
}
}
答案 3 :(得分:-4)
如何使用:
String username = request.getRemoteUser();