我是否正确执行了Servlet过滤器? [英] Am i doing the Servlet-Filter correctly?

查看:91
本文介绍了我是否正确执行了Servlet过滤器?的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

美好的一天!

我正在尝试禁止不属于成功登录页面的访问.我将登录用户名存储在会话中,以便可以确定会话是否为空.

I am trying to disable access on pages that are not part of successful login. I stored the login username in a session so that i could determine if the session is null or not.

我有几个页面,所以我决定在xml中创建一个过滤器和servlet过滤器,因此我不需要在所有页面上都放置if(session == null)代码.

I have several pages so I've decided to create a filter in xml and filter servlet so I don't need to put the if(session == null) code on all the pages.

我在servlet中的代码如下:

My code in servlet is as follows:

public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
        // TODO Auto-generated method stub
        // place your code here
            HttpServletRequest req = (HttpServletRequest)request;
            HttpServletResponse res = (HttpServletResponse)response;

            HttpSession session = req.getSession(false);
            RequestDispatcher rd;

            //need to get the servlet path
            String url = req.getServletPath();
            if( url.equals("/LoginServlet") || url.equals("/LogoutServlet") || url.equals("/login.html") ){
                chain.doFilter(request, response);
            } else {
                if(session == null){
                    rd = req.getRequestDispatcher("index.html");
                    rd.forward(req, res);
                } else {
                    chain.doFilter(request,response);
                }
            }
    }

和我的xml过滤器如下:

and my xml filter is as follows:

<filter>
    <display-name>sessionFilter</display-name>
    <filter-name>sessionFilter</filter-name>
    <filter-class>com.test.demoSession.filter.sessionFilter</filter-class>
  </filter>
  <filter-mapping>
    <filter-name>sessionFilter</filter-name>
    <url-pattern>/*</url-pattern>
  </filter-mapping>
</filter>

问题是...

  1. 我仍然可以访问其他servlet,而无需进入登录屏幕. 我的代码有什么问题.
  2. 我该怎么做呢?
  1. I still can access other servlets without going to the log-in screen. What is the problem with my code.
  2. How can i do this better?

推荐答案

您仅在检查是否已创建会话,而不是在是否已登录用户的情况下检查.这是错误的.会话 早在用户登录之前就已经创建.

You're only checking if the session has been created, not if the user has been logged in. This is wrong. The session can already be created long before the user logs in.

登录用户时,应将其设置为会话属性

When you login an user, you should set it as a session attribute

request.getSession().setAttribute("user", user);

在过滤器中,您应该对此进行检查

In the filter you should check on that instead

User user = (User) request.getSession().getAttribute("user");

if (user == null) {
    // Not logged in.
} else {
    // Logged in.
}

另请参见:

  • 我们的Servlet-Filters Wiki页面

    • See also:

    • Our Servlet-Filters wiki page

      • 这篇关于我是否正确执行了Servlet过滤器?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!

查看全文
相关文章
其他开发最新文章
热门教程
热门工具
登录 关闭
扫码关注1秒登录
发送“验证码”获取 | 15天全站免登陆