当用户未登录时,Servlet过滤器在无限重定向循环中运行

时间:2015-01-07 12:26:05

标签: servlets login servlet-filters redirect-loop

我有两个HTML文件

  1. 的login.html
  2. Test.html
  3. 我的要求是用户不应该访问test.html,除非他通过login.html成功登录

    这是我的login.html文件

    <html>
    <head>
    <title>Login Page 122</title>
    </head>
    <body>
    <form action="LoginServlet" method="post">
    Username: <input type="text" name="user">
    <br>
    Password: <input type="password" name="pwd">
    <br>
    <input type="submit" value="Login User">
    </form>
    </body>
    </html>
    

    这是我的LoginServlet,当点击提交按钮

    时,它会重新发送请求
    package com;
    public class LoginServlet extends HttpServlet {
        private static final long serialVersionUID = 1L;
        private final String userID = "admin";
        private final String password = "password";
    
        protected void doPost(HttpServletRequest request,
                HttpServletResponse response) throws ServletException, IOException {
    
            String user = request.getParameter("user");
            String pwd = request.getParameter("pwd");
    
            if(userID.equals(user) && password.equals(pwd)){
                HttpSession session = request.getSession();
                session.setAttribute("user", "LoggedIN");
                response.sendRedirect("LoginSuccess.jsp");
            }else{
                RequestDispatcher rd = getServletContext().getRequestDispatcher("/login.html");
                PrintWriter out= response.getWriter();
                out.println("<font color=red>Either user name or password is wrong.</font>");
                rd.include(request, response);
            }
    
        }
    
    }
    

    这是我的Filter类,它保护* .html资源

    package com;
     public class AuthenticationFilter implements Filter {
        private ServletContext context;
        public void init(FilterConfig fConfig) throws ServletException {
            this.context = fConfig.getServletContext();
            this.context.log("AuthenticationFilter initialized");
        }
        public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
            HttpServletRequest req = (HttpServletRequest) request;
            HttpServletResponse res = (HttpServletResponse) response;
            String uri = req.getRequestURI();
            this.context.log("Requested Resource::"+uri);
            HttpSession session = req.getSession(false);
            if(session == null || !session.getAttribute("user").toString().equals("LoggedIN")){
                this.context.log("Unauthorized access request");
                System.out.println("Into session is null condition");
                res.sendRedirect("login.html");
            }else{
               System.out.println("Into chain do filter");
                chain.doFilter(request, response);
            }
        }
        public void destroy() {
        }
    }
    

    这是我的web.xml文件

    <?xml version="1.0" encoding="UTF-8"?>
    
    <web-app>
      <display-name>LoginFilter</display-name>
       <servlet>
        <description></description>
        <display-name>LoginServlet</display-name>
        <servlet-name>LoginServlet</servlet-name>
        <servlet-class>com.LoginServlet</servlet-class>
      </servlet>
      <servlet-mapping>
        <servlet-name>LoginServlet</servlet-name>
        <url-pattern>/LoginServlet</url-pattern>
      </servlet-mapping>
      <servlet>
        <description></description>
        <display-name>LogoutServlet</display-name>
        <servlet-name>LogoutServlet</servlet-name>
        <servlet-class>com.LogoutServlet</servlet-class>
      </servlet>
      <servlet-mapping>
        <servlet-name>LogoutServlet</servlet-name>
        <url-pattern>/LogoutServlet</url-pattern>
      </servlet-mapping>
      <filter>
        <display-name>AuthenticationFilter</display-name>
        <filter-name>AuthenticationFilter</filter-name>
        <filter-class>com.AuthenticationFilter</filter-class>
      </filter>
      <filter-mapping>
        <filter-name>AuthenticationFilter</filter-name>
        <url-pattern>*.html</url-pattern>
      </filter-mapping>
    </web-app>
    

    我看到的问题是

    我在服务器控制台中多次看到此语句。

    Into session is null condition
    Into session is null condition
    Into session is null condition
    Into session is null condition
    Into session is null condition
    Into session is null condition
    Into session is null condition
    Into session is null condition
    Into session is null condition
    Into session is null condition
    Into session is null condition
    Into session is null condition
    Into session is null condition
    

1 个答案:

答案 0 :(得分:4)

AuthenticationFilter也会在请求login.html时运行。但是,代码再次重定向到login.html,而不是继续过滤器链。这解释了无限重定向循环。

如果当前请求的页面已经是登录页面本身,则需要让过滤器继续请求。

E.g。

public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
    HttpServletRequest req = (HttpServletRequest) request;
    HttpServletResponse res = (HttpServletResponse) response;
    HttpSession session = req.getSession(false);
    String loginURL = req.getContextPath() + "/login.html";

    boolean loggedIn = session != null && session.getAttribute("user") != null;
    boolean loginRequest = loginURL.equals(req.getRequestURI());

    if (loggedIn || loginRequest) {
        chain.doFilter(request, response);
    } else {
        res.sendRedirect(loginURL);
    }
}

另见: