java 为我的 Web 应用程序编写授权过滤器(JSF 2.0)
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/5662367/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Writing an authorization filter for my web app(JSF 2.0)
提问by sfrj
Following some advice, i decided to write my own authorization filter for my web app(I am not using container managed security so i have to do it this way).
根据一些建议,我决定为我的 Web 应用程序编写自己的授权过滤器(我没有使用容器管理的安全性,所以我必须这样做)。
This is my first filter so i am a bit confused in how i should implement it. This is what i did so far:
这是我的第一个过滤器,所以我对如何实现它有点困惑。这是我到目前为止所做的:
package filters;
import java.io.IOException;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import entities.Role;
public class RestrictPageFilter implements Filter {
FilterConfig fc;
public void init(FilterConfig filterConfig) throws ServletException {
// The easiest way to initialize the filter
fc = filterConfig;
}
public void doFilter(ServletRequest request, ServletResponse response,
FilterChain chain) throws IOException, ServletException {
HttpServletRequest req = (HttpServletRequest) request;
HttpServletResponse resp = (HttpServletResponse) response;
HttpSession session = req.getSession(true);
String pageRequested = req.getRequestURL().toString();
Role currentUser = (Role) session.getAttribute("userRole");
//Pages that are allowed with no need to login:
//-faq.xhtml
//-index.jsp
//-login.xhtml
//-main.xhtml
//-registration.xhtml
//NOW pages that are restricted depending on the type of user
//buyoffer.xhtml(Only BUYER)
//sellerpanel.xhtml(Only SELLER)
//adminpanel.xhtml(Only ADMINISTRATOR)
//HOW SHOULD I IMPLEMENT THAT??
if(currentUser != null && currentUser.getType().equals("BUYER")) {
}
if(currentUser != null && currentUser.getType().equals("SELLER")) {
}
if(currentUser != null && currentUser.getType().equals("ADMINISTRATOR")) {
}
}
public void destroy() {
// Not needed
}
}
As you see i left comments there where i got stuck. Can someone give me a hand finishing this filter or give me some pseudo code tips how should i finish it?
正如你看到的,我在那里留下了评论,我被卡住了。有人可以帮我完成这个过滤器或给我一些伪代码提示我应该如何完成它?
I saw some examples around the web, but none of them do different filtering depending on the user type.
我在网上看到了一些例子,但没有一个根据用户类型进行不同的过滤。
Ill appreciate your help :)
非常感谢您的帮助:)
Update
更新
I created an xml file to help me do the filtering(It is located inside WEB-INF/classes)
我创建了一个 xml 文件来帮助我进行过滤(它位于 WEB-INF/classes 中)
<access>
<buyer>
<page>buyoffer.xhtml</page>
<page>faq.xhtml</page>
<page>index.jsp</page>
<page>login.xhtml</page>
<page>main.xhtml</page>
<page>registrationSucceded.xhtml</page>
</buyer>
<seller>
<page>sellerpanel.xhtml</page>
<page>faq.xhtml</page>
<page>index.jsp</page>
<page>login.xhtml</page>
<page>main.xhtml</page>
<page>registrationSucceded.xhtml</page>
</seller>
<administrator>
<page>sellerpanel.xhtml</page>
<page>faq.xhtml</page>
<page>index.jsp</page>
<page>login.xhtml</page>
<page>main.xhtml</page>
<page>registrationSucceded.xhtml</page>
</administrator>
</access>
<!-- THE REGISTRATION PAGES SHOULD NOT BE ACCESSIBLE IF THE USER IS LOGGED IN -->
I read the file from the init() method.()
我从 init() 方法读取文件。()
public class RestrictPageFilter implements Filter {
private FilterConfig fc;
private InputStream in;
public void init(FilterConfig filterConfig) throws ServletException {
// The easiest way to initialize the filter
fc = filterConfig;
//Get the file that contains the allowed pages
in = this.getClass().getResourceAsStream("/allowedpages.xml");
}
public void doFilter(ServletRequest request, ServletResponse response,
FilterChain chain) throws IOException, ServletException {
HttpServletRequest req = (HttpServletRequest) request;
HttpServletResponse resp = (HttpServletResponse) response;
HttpSession session = req.getSession(true);
String pageRequested = req.getRequestURL().toString();
//Get the value of the current logged user
Role currentUser = (Role) session.getAttribute("userRole");
if (currentUser != null) {
}
}
public void destroy() {
// Not needed
}
}
回答by Jigar Joshi
If you need to allow the access simply call the
如果您需要允许访问,只需调用
// it will process request normally, means it will leave the control from Filter
chain.doFilter(request, response);
if you want to restrict user then call
如果你想限制用户然后打电话
//take some action
response.sendRedirect("URL to some page");//it will simply make user redirected
Some Suggestion
一些建议
Make it configurable using some sort of XML of properties file , your code seems hard to me, tomorrow there might be another page added so you need to re compile your Filter.
If allowed then Simply use Spring Security it has got nice features. Also you won't be re inventing the wheel
使用某种属性文件的 XML 使其可配置,您的代码对我来说似乎很难,明天可能会添加另一个页面,因此您需要重新编译过滤器。
如果允许,那么只需使用 Spring Security,它就有很好的特性。你也不会重新发明轮子
