javascript JSP 页面应该如何检查身份验证
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/15961940/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
How JSP page should check authentication
提问by Allan Jiang
I am new to web programming. I am asking a common pattern to do things like checking authentication. Here is the scenario:
我是网络编程的新手。我要求使用通用模式来执行检查身份验证等操作。这是场景:
The website has a login page for visitors. It will take username and encrypted password and sent them to server, then get either a error code (username/password doesn't match)or an auth key from the server. When the user logged in successfully, I want the website automatically jump to the main.jsppage that presents the main functionality of the website.
该网站有一个供访问者使用的登录页面。它将获取用户名和加密密码并将它们发送到服务器,然后从服务器获取错误代码(用户名/密码不匹配)或身份验证密钥。当用户登录成功时,我希望网站自动跳转到main.jsp展示网站主要功能的页面。
In this case, I want main.jspcheck the user authentication. That is, I don't want such thing happens like user can directly open www.example.com/main.jsp, and if they did thing like this, I want to redirect them to login page.
在这种情况下,我想main.jsp检查用户身份验证。也就是说,我不希望像用户可以直接打开这样的事情发生www.example.com/main.jsp,如果他们做了这样的事情,我想将他们重定向到登录页面。
So how could I pass authentication information across page, and how could I prevent user from directly accessing the main.jspwithout login? Do I need to use session or anything?
那么如何跨页面传递身份验证信息,以及如何防止用户直接访问main.jsp未登录?我需要使用 session 或任何东西吗?
回答by Joseph Caracuel
you could try using filters:
您可以尝试使用过滤器:
Filter can pre-process a request before it reaches a servlet, post-process a response leaving a servlet, or do both. Filters can intercept, examine, and modify requests and responses.
过滤器可以在请求到达 servlet 之前对其进行预处理,对离开 servlet 的响应进行后处理,或者两者都做。过滤器可以拦截、检查和修改请求和响应。
NOTE:be sure to add a session attribute once your user is logged in, you can use that session attribute on the filter
注意:确保在您的用户登录后添加会话属性,您可以在过滤器上使用该会话属性
on your login.jspadd:
在您的login.jsp 上添加:
session.setAttribute("LOGIN_USER", user);
//user entity if you have or user type of your user account...
//if not set then LOGIN_USER will be null
web.xml
网页.xml
<filter>
<filter-name>SessionCheckFilter</filter-name>
<filter-class>yourjavapackage.SessionCheckFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>SessionCheckFilter</filter-name>
<!--url-pattern>/app/*</url-pattern-->
<url-pattern>/main.jsp</url-pattern> <!-- url from where you implement the filtering -->
</filter-mapping>
SessionCheckFilter.java
SessionCheckFilter.java
public class SessionCheckFilter implements Filter {
private String contextPath;
@Override
public void init(FilterConfig fc) throws ServletException {
contextPath = fc.getServletContext().getContextPath();
}
@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain fc) throws IOException, ServletException {
HttpServletRequest req = (HttpServletRequest) request;
HttpServletResponse res = (HttpServletResponse) response;
if (req.getSession().getAttribute("LOGIN_USER") == null) { //checks if there's a LOGIN_USER set in session...
res.sendRedirect(contextPath + "/login.jsp"); //or page where you want to redirect
} else {
String userType = (String) req.getSession().getAttribute("LOGIN_USER");
if (!userType.equals("ADMIN")){ //check if user type is not admin
res.sendRedirect(contextPath + "/login.jsp"); //or page where you want to
}
fc.doFilter(request, response);
}
}
@Override
public void destroy() {
}
}
回答by user207421
How JSP page should check authentication
JSP 页面应该如何检查身份验证
It shouldn't. You should use Container Managed Authentication, and define the login/security in web.xml via URL patterns.
它不应该。您应该使用容器管理的身份验证,并通过 URL 模式在 web.xml 中定义登录/安全性。
Added by Glen Best:
由 Glen Best 添加:
E.g. Add something like this to web.xml:
例如,在 web.xml 中添加类似的内容:
<security-constraint>
<display-name>GET: Employees Only</display-name>
<web-resource-collection>
<web-resource-name>Restricted Get</web-resource-name>
<url-pattern>/restricted/employee/*</url-pattern>
<http-method>GET</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>Employee</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
回答by user3282475
This also works for me
这也适用于我
<filter>
<filter-name>SessionCheckFilter</filter-name>
<filter-class>yourjavapackage.SessionCheckFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>SessionCheckFilter</filter-name>
<!--url-pattern>/app/*</url-pattern-->
<url-pattern>/main.jsp</url-pattern> <!-- url from where you implement the filtering -->
</filter-mapping>
public class SessionCheckFilter implements Filter {
private String contextPath;
@Override
public void init(FilterConfig fc) throws ServletException {
contextPath = fc.getServletContext().getContextPath();
}
@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain fc) throws IOException, ServletException {
HttpServletRequest req = (HttpServletRequest) request;
HttpServletResponse res = (HttpServletResponse) response;
if (req.getSession().getAttribute("LOGIN_USER") == null) { //checks if there's a LOGIN_USER set in session...
req.getRequestDispatcher("login.jsp").forward(req, resp); //or page where you want to redirect
} else {
String userType = (String) req.getSession().getAttribute("LOGIN_USER");
if (userType.equals("ADMIN")){ //check if user type is admin
fc.doFilter(request, response); it redirected towards main.jsp
}
}
}
@Override
public void destroy() {
}
}
回答by Yster
How about using:
如何使用:
String username = request.getRemoteUser();
