JSP拒绝网址直接访问由用户未记录 [英] JSP deny direct access to URL by non-logged in user
问题描述
我有一个登录和登录后显示在用户信息页面。我怎样才能阻止用户直接访问用户信息页面?我如何能实现与会话?
I have a login and a user info page which is displayed after login. How can I block user info page from direct access by user? How can I implement that with session?
推荐答案
在登录时,将发现的用户
对象的会话。
At login time, put the found User
object in the session.
String username = request.getParameter("username");
String password = request.getParameter("password");
User user = userDAO.find(username, password);
if (user != null) {
request.getSession().setAttribute("user", user);
response.sendRedirect("secured/userpage");
} else {
request.setAttribute("error", "Unknown username/password combo, please try again");
request.getRequestDispatcher("/WEB-INF/login.jsp").forward(request, response);
}
然后实施过滤器
刚刚检查的presence登录的用户会话。</ P>
Then implement a Filter
which just checks the presence of the logged-in user in the session.
if (((HttpServletRequest) request).getSession().getAttribute("user") != null) {
chain.doFilter(request, response); // Logged in, so just continue.
} else {
response.sendRedirect("login"); // Not logged in, redirect to login page.
}
在的URL模式地图这个过滤器/安全/ *
(或任何其他任何你想要的),把喜欢的用户信息页面的安全网页在同一文件夹
Map this filter on an URL pattern of /secured/*
(or anything else whatever you want) and put the secured pages like the user info page in the same folder.
要注销用户,只是做 session.removeAttribute(用户)
,或者更彻底, session.invalidate()
。
To logout a user, just do session.removeAttribute("user")
or, more drastically, session.invalidate()
.
这篇关于JSP拒绝网址直接访问由用户未记录的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!