java 如何禁用从 url 直接访问 jsp 页面的页面
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/33499088/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
how to disable direct access to pages from url for jsp pages
提问by dpk
I have created a web application. Everything works fine.But, if the user is not logged in still they can have access to other jsp pages through url. I want to stop url access. I saw some example it shows the usage of filters. I'm new to filters I don't how to implement it. I'm using servlets, dao and jsp pages.
我已经创建了一个 Web 应用程序。一切正常。但是,如果用户还没有登录,他们仍然可以通过 url 访问其他 jsp 页面。我想停止 url 访问。我看到了一些示例,它显示了过滤器的用法。我是过滤器的新手,我不知道如何实现它。我正在使用 servlet、dao 和 jsp 页面。
Please suggests me how to do it. I want to make one filter for all the jsp or servlets pages.
请建议我怎么做。我想为所有的 jsp 或 servlets 页面制作一个过滤器。
web.xml
网页.xml
<?xml version="1.0" encoding="UTF-8"?>
<web-app version="2.5" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd">
<filter>
<filter-name>MyFilter</filter-name>
<filter-class>com.eis.servlet.MyFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>MyFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<servlet>
<servlet-name>login</servlet-name>
<servlet-class>com.eis.servlet.LoginServlet</servlet-class>
</servlet>
<servlet>
<servlet-name>DayWiseServlet</servlet-name>
<servlet-class>com.eis.servlet.DayWiseServlet</servlet-class>
</servlet>
<servlet>
<servlet-name>RegisterServlet</servlet-name>
<servlet-class>com.eis.servlet.RegisterServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>login</servlet-name>
<url-pattern>/LoginServlet</url-pattern>
</servlet-mapping>
<servlet>
<servlet-name>RetrieveServlet</servlet-name>
<servlet-class>com.eis.servlet.RetrieveServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>RetrieveServlet</servlet-name>
<url-pattern>/RetrieveServlet</url-pattern>
</servlet-mapping>
<servlet>
<servlet-name>TimeSheet</servlet-name>
<servlet-class>com.eis.servlet.TimeSheet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>TimeSheet</servlet-name>
<url-pattern>/TimeSheet</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>DayWiseServlet</servlet-name>
<url-pattern>/DayWiseServlet</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>RegisterServlet</servlet-name>
<url-pattern>/RegisterServlet</url-pattern>
</servlet-mapping>
<welcome-file-list>
<welcome-file>/index.jsp</welcome-file>
</welcome-file-list>
<session-config>
<session-timeout>15</session-timeout>
</session-config>
</web-app>
loginservlet.java
登录servlet.java
public class LoginServlet extends HttpServlet{
private static final long serialVersionUID = 1L;
@Override
public void doGet(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
response.setContentType("text/html");
PrintWriter out = response.getWriter();
String n=request.getParameter("Emp_id");
String p=request.getParameter("Pwd");
String Usertype=request.getParameter("usertype");
HttpSession session = request.getSession(false);
if(session!=null){
session.setAttribute("name", n);
session.setAttribute("usertype", Usertype);
}
if(LoginDao.validate(n,p)){
RequestDispatcher rd=request.getRequestDispatcher("/daywise.jsp");
rd.forward(request,response);
}
else{
out.print("<p style=\"color:red\">Sorry Employee ID or password error</p>");
RequestDispatcher rd=request.getRequestDispatcher("/index.jsp");
rd.include(request,response);
}
out.close();
}
protected void doPost(HttpServletRequest request,
HttpServletResponse response)
throws ServletException, IOException {
doGet(request, response);
}
}
myfilter:
我的过滤器:
public class MyFilter implements Filter{
@Override
public void init(FilterConfig config) throws ServletException {}
@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
HttpServletRequest req = (HttpServletRequest)request;
HttpServletResponse resp = (HttpServletResponse)response;
if(null==((String) req.getSession().getAttribute("empid")) || ((String) req.getSession().getAttribute("empid")).equals("")){
chain.doFilter(req, resp);
} else {
resp.sendRedirect("/WebTimeSheet/index.jsp");
}
}
@Override
public void destroy() {}
}
Loginpage:
登录页面:
<form action="LoginServlet" method="post">
<fieldset style="width: 300px">
<legend> Login to App </legend>
<table>
<tr>
<td>User ID</td>
<td><input type="text" name="Emp_id" required="required" /></td>
</tr>
<tr>
<td>Password</td>
<td><input type="password" name="Pwd" required="required" /></td>
</tr>
<tr>
<td>User Type</td>
<td> <select name="usertype">
<option>Employee</option>
<option>Manager</option>
<option>Admin</option>
</select></td>
</tr>
<tr>
<td><input type="submit" value="Login" /></td>
</tr>
</table>
</fieldset>
</form>
</body>
<%@include file="/footer.jsp" %>
</html>
and all my jsp pages are in the web pages folder which is outside the Web-inf folder. Web-inf folder only got web.xml init
我所有的jsp页面都在Web-inf文件夹之外的web pages文件夹中。Web-inf 文件夹只有 web.xml init
Header.jsp
头文件.jsp
<c:choose>
<c:when test="${usertype eq 'Employee'}">
<div class="nav">
<ul><li class="container"><img src="${pageContext.request.contextPath}/images/enabling.jpg" /></li>
<li class="current"><a href="WEB-INF/daywise.jsp">DayWise TimeSheet</a></li>
<li><a href="WEB-INF/timesheet.jsp">Weekly TimeSheet</a></li>
</ul>
</div>
</c:when>
<c:when test="${usertype eq 'Manager'}">
<div class="nav">
<ul><li class="container"><img src="${pageContext.request.contextPath}/images/enabling.jpg" /></li>
<li class="current"><a href="/WEB-INF/daywise.jsp">DayWise TimeSheet</a></li>
<li><a href="WEB-INF/timesheet.jsp">Weekly TimeSheet</a></li>
<li><a href="WEB-INF/newemployee.jsp">Add New Employeer</a></li>
<li><a href="WEB-INF/retrieve.jsp">Retrieve TimeSheet</a></li>
</ul>
</div>
</c:when>
回答by NickJ
Firstly, JSPs should not be used to serve requests, they should be used to render views. Servlets should be used to serve requests, and then forward to a JSP.
首先,JSP 不应该用于服务请求,它们应该用于呈现视图。应该使用 Servlet 来处理请求,然后转发到 JSP。
Here's an example:
下面是一个例子:
public class HelloWorld extends HttpServlet {
public void doGet(HttpServletRequest request,
HttpServletResponse response)
throws ServletException, IOException
{
//do some stuff
//forward to JSP to show result
String nextJSP = "/WEB_INF/result.jsp";
RequestDispatcher dispatcher = getServletContext().getRequestDispatcher(nextJSP);
dispatcher.forward(request,response);
}
}
And in web.xml:
在 web.xml 中:
<servlet>
<servlet-name>HelloWorldServlet</servlet-name>
<servlet-class>your.package.HelloWorld</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>HelloWorldServlet</servlet-name>
<url-pattern>/someurl</url-pattern>
</servlet-mapping>
In this example, the servlet forwards to a JSP in the WEB-INF directory. By putting all your JSPs in the WEB-INF directory, it means that they cannot be requested directly.
在此示例中,servlet 转发到 WEB-INF 目录中的 JSP。把你所有的 JSP 都放在 WEB-INF 目录下,就意味着不能直接请求它们。
Now you have a Servlet, you can set up a Servlet Filter:
现在你有了一个 Servlet,你可以设置一个 Servlet 过滤器:
public class MyFilter implements Filter {
public void doFilter(ServletRequest req, ServletResponse res,
FilterChain chain) throws IOException, ServletException {
if (isLoggedIn) {
//if user is logged in, complete request
chain.doFilter(req, res);
} else {
//not logged in, go to login page
res.sendRedirect("/login");
}
}
And in web.xml:
在 web.xml 中:
<filter>
<filter-name>MyFilter</filter-name>
<filter-class>your.package.MyFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>MyFilter</filter-name>
<url-pattern>/secret/*</url-pattern>
</filter-mapping>
So that way any URL that fits the pattern /secret/*will be filtered so that login is required.
因此,任何符合该模式的 URL/secret/*都将被过滤,以便需要登录。
回答by Suresh Atta
You need to use a servlet filter and match all the requests.
您需要使用 servlet 过滤器并匹配所有请求。
In that filter you need to check for authorization.
在该过滤器中,您需要检查授权。
Here is the official docs with example
回答by Harshal Deole
You can set an authentication cookie in the response header
您可以在响应标头中设置身份验证 cookie
Cookie someCookie = new Cookie("cookie_name","some_value" );
and, response.addCookie(someCookie)
和, response.addCookie(someCookie)
then , inside your filter you can decide to call chain.doFilter(req, res)based on the cookie value.
然后,在您的过滤器中,您可以决定chain.doFilter(req, res)根据 cookie 值进行调用。
you may control the cookie age by cookie.setMaxAge();ie. set the max age to '0' on log out .
您可以通过cookie.setMaxAge();ie控制 cookie 年龄。在注销时将最大年龄设置为“0”。
