为我的 Web 应用程序编写授权过滤器(JSF 2.0) [英] Writing an authorization filter for my web app(JSF 2.0)

查看:22
本文介绍了为我的 Web 应用程序编写授权过滤器(JSF 2.0)的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

根据一些建议,我决定为我的网络应用编写自己的授权过滤器(我没有使用容器管理的安全性,所以我必须这样做).

Following some advice, i decided to write my own authorization filter for my web app(I am not using container managed security so i have to do it this way).

这是我的第一个过滤器,所以我对如何实现它有点困惑.这是我到目前为止所做的:

This is my first filter so i am a bit confused in how i should implement it. This is what i did so far:

package filters;

import java.io.IOException;

import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;

import entities.Role;

public class RestrictPageFilter implements Filter {

    FilterConfig fc;

    public void init(FilterConfig filterConfig) throws ServletException {
        // The easiest way to initialize the filter
        fc = filterConfig;
    }

    public void doFilter(ServletRequest request, ServletResponse response,
            FilterChain chain) throws IOException, ServletException {

        HttpServletRequest req = (HttpServletRequest) request;
        HttpServletResponse resp = (HttpServletResponse) response;
        HttpSession session = req.getSession(true);
        String pageRequested = req.getRequestURL().toString();

        Role currentUser = (Role) session.getAttribute("userRole");

        //Pages that are allowed with no need to login:
        //-faq.xhtml
        //-index.jsp
        //-login.xhtml
        //-main.xhtml
        //-registration.xhtml

        //NOW pages that are restricted depending on the type of user
        //buyoffer.xhtml(Only BUYER)
        //sellerpanel.xhtml(Only SELLER)
        //adminpanel.xhtml(Only ADMINISTRATOR)

        //HOW SHOULD I IMPLEMENT THAT??
        if(currentUser != null && currentUser.getType().equals("BUYER")) {          

        }
        if(currentUser != null && currentUser.getType().equals("SELLER")) {         

        }
        if(currentUser != null && currentUser.getType().equals("ADMINISTRATOR")) {          

        }


    }

    public void destroy() {
        // Not needed
    }
}

如你所见,我在那里发表了评论,我被卡住了.有人可以帮我完成这个过滤器或给我一些伪代码提示我应该如何完成它?

As you see i left comments there where i got stuck. Can someone give me a hand finishing this filter or give me some pseudo code tips how should i finish it?

我在网上看到了一些例子,但没有一个根据用户类型进行不同的过滤.

I saw some examples around the web, but none of them do different filtering depending on the user type.

非常感谢您的帮助:)

更新

我创建了一个 xml 文件来帮助我进行过滤(它位于 WEB-INF/classes 内)

I created an xml file to help me do the filtering(It is located inside WEB-INF/classes)

<access>
    <buyer>
        <page>buyoffer.xhtml</page>
        <page>faq.xhtml</page>
        <page>index.jsp</page>
        <page>login.xhtml</page>
        <page>main.xhtml</page>
        <page>registrationSucceded.xhtml</page>     
    </buyer>
    <seller>
        <page>sellerpanel.xhtml</page>
        <page>faq.xhtml</page>
        <page>index.jsp</page>
        <page>login.xhtml</page>
        <page>main.xhtml</page>
        <page>registrationSucceded.xhtml</page>     
    </seller>
    <administrator>
        <page>sellerpanel.xhtml</page>
        <page>faq.xhtml</page>
        <page>index.jsp</page>
        <page>login.xhtml</page>
        <page>main.xhtml</page>
        <page>registrationSucceded.xhtml</page>     
    </administrator>
</access>

<!-- THE REGISTRATION PAGES SHOULD NOT BE ACCESSIBLE IF THE USER IS LOGGED IN -->

我从 init() 方法读取文件.()

I read the file from the init() method.()

public class RestrictPageFilter implements Filter {

    private FilterConfig fc;
private InputStream in;

    public void init(FilterConfig filterConfig) throws ServletException {
        // The easiest way to initialize the filter
        fc = filterConfig;
        //Get the file that contains the allowed pages
        in = this.getClass().getResourceAsStream("/allowedpages.xml");
    }

    public void doFilter(ServletRequest request, ServletResponse response,
            FilterChain chain) throws IOException, ServletException {

        HttpServletRequest req = (HttpServletRequest) request;
        HttpServletResponse resp = (HttpServletResponse) response;
        HttpSession session = req.getSession(true);
        String pageRequested = req.getRequestURL().toString();

        //Get the value of the current logged user 
        Role currentUser = (Role) session.getAttribute("userRole");
        if (currentUser != null) {

        }
    }

    public void destroy() {
        // Not needed
    }
}

推荐答案

如果您需要允许访问,只需调用

If you need to allow the access simply call the

// it will process request normally, means it will leave the control from Filter
chain.doFilter(request, response);

如果你想限制用户然后调用

if you want to restrict user then call

//take some action
response.sendRedirect("URL to some page");//it will simply make user redirected 

<小时>

一些建议

  • 使用某种属性文件的 XML 使其可配置,您的代码对我来说似乎很难,明天可能会添加另一个页面,因此您需要重新编译过滤器.

  • Make it configurable using some sort of XML of properties file , your code seems hard to me, tomorrow there might be another page added so you need to re compile your Filter.

如果允许,那么只需使用 Spring Security,它就有很好的特性.你也不会重新发明轮子

If allowed then Simply use Spring Security it has got nice features. Also you won't be re inventing the wheel

这篇关于为我的 Web 应用程序编写授权过滤器(JSF 2.0)的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!

查看全文
登录 关闭
扫码关注1秒登录
发送“验证码”获取 | 15天全站免登陆