登录时如何限制子文件夹

时间:2018-04-12 09:26:11

标签: authentication jsf java-ee jsf-2 glassfish

在我开始之前,我已经检查过很多教程,并且在stackoverflow中有很多问题,但是它们似乎都没有给我我想要的东西,这是我的问题:

我有一个类:用户,以及另外3个来自用户:admin,recruteur和candidat

我所做的(以及我在所有教程和问题中找到的内容)是在用户登录时放置过滤器,因此如果他已登录,则可以查看文件夹secure * *但是不,他将被重定向到login.xhtml

现在我想要的是添加其他文件夹,所以管理员只能访问管理员文件夹+安全文件夹,招聘人员只能访问安全+招聘文件夹等...

现在我已将adminFolder,recruterFolder,candidatFolder放入secureFolder,但我无法对子文件夹进行限制。这是我的过滤器的代码

//user=member
 @Override
 public void doFilter(ServletRequest req, ServletResponse resp,  
     FilterChain chain) throws IOException, ServletException {     
 HttpServletRequest request = (HttpServletRequest) req;
     HttpServletResponse response = (HttpServletResponse) resp;
     HttpSession session = request.getSession(false);

     String loginURI = request.getContextPath() + "/index.xhtml";

     boolean loggedIn = session != null && session.getAttribute("membre") != null;
     boolean loginRequest = request.getRequestURI().equals(loginURI);
     boolean resourceRequest = request.getRequestURI().startsWith(request.getContextPath() + ResourceHandler.RESOURCE_IDENTIFIER);

     if (loggedIn || loginRequest || resourceRequest) {
         chain.doFilter(request, response);
     } else {
         response.sendRedirect(loginURI);
     }

     }  

2 个答案:

答案 0 :(得分:1)

创建另一个过滤器(与您的过滤器相同,但添加了

import java.io.IOException;
import javax.faces.application.ResourceHandler;
import javax.servlet.*;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;  

public class SecuredRoleFilter implements Filter{


 @Override
 public void doFilter(ServletRequest req, ServletResponse resp,  
     FilterChain chain) throws IOException, ServletException {     
 HttpServletRequest request = (HttpServletRequest) req;
     HttpServletResponse response = (HttpServletResponse) resp;
     HttpSession session = request.getSession(false);

     String loginURI = request.getContextPath() + "/index.xhtml";

     boolean loggedIn = session != null && session.getAttribute("role").equals("Candidat");
     boolean loginRequest = request.getRequestURI().equals(loginURI);
     boolean resourceRequest = request.getRequestURI().startsWith(request.getContextPath() + ResourceHandler.RESOURCE_IDENTIFIER);

     if (loggedIn || loginRequest || resourceRequest) {
         chain.doFilter(request, response);
     } else {
         response.sendRedirect(loginURI);
     }

     }  

 @Override
     public void destroy() {}

 @Override
 public void init(FilterConfig arg0) throws ServletException {
 // TODO Auto-generated method stub

 }  

}

现在在web.xml中添加过滤器

<filter>
    <filter-name>secured</filter-name>
    <filter-class>packageName.ConxFilter</filter-class>       
</filter>
<filter-mapping>
    <filter-name>secured</filter-name>
    <url-pattern>/secured/*</url-pattern>       
</filter-mapping>

<filter>  
    <filter-name>securedCandidat</filter-name>
    <filter-class>packageName.SecuredRoleFilter</filter-class>        
</filter>
<filter-mapping>
    <filter-name>securedCandidat</filter-name>
    <url-pattern>/secured/candidatFolder/*</url-pattern>        
</filter-mapping>

答案 1 :(得分:0)

这适用于您的过滤器:

if (loggedIn || loginRequest || resourceRequest) {
    Membre membre = (Membre)session.getAttribute("membre");
    if (request.getRequestURI().contains("adminFolder") 
        && !"ADMIN".equals(membre.getDtype())){

        //When user tries to access the admin folder without being ADMIN, 
        //redirect to login page
        response.sendRedirect(loginURI);
    } else{
        chain.doFilter(request, response);
    }
} else {
    response.sendRedirect(loginURI);
}