为我的Web应用程序编写授权filter(JSF 2.0)
根据一些建议,我决定为我的网络应用程序编写自己的授权filter(我没有使用容器管理的安全性,所以我必须这样做)。
这是我的第一个filter,所以我对如何实现它有点困惑。 这就是我到目前为止所做的:
package filters; import java.io.IOException; import javax.servlet.Filter; import javax.servlet.FilterChain; import javax.servlet.FilterConfig; import javax.servlet.ServletException; import javax.servlet.ServletRequest; import javax.servlet.ServletResponse; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import javax.servlet.http.HttpSession; import entities.Role; public class RestrictPageFilter implements Filter { FilterConfig fc; public void init(FilterConfig filterConfig) throws ServletException { // The easiest way to initialize the filter fc = filterConfig; } public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { HttpServletRequest req = (HttpServletRequest) request; HttpServletResponse resp = (HttpServletResponse) response; HttpSession session = req.getSession(true); String pageRequested = req.getRequestURL().toString(); Role currentUser = (Role) session.getAttribute("userRole"); //Pages that are allowed with no need to login: //-faq.xhtml //-index.jsp //-login.xhtml //-main.xhtml //-registration.xhtml //NOW pages that are restricted depending on the type of user //buyoffer.xhtml(Only BUYER) //sellerpanel.xhtml(Only SELLER) //adminpanel.xhtml(Only ADMINISTRATOR) //HOW SHOULD I IMPLEMENT THAT?? if(currentUser != null && currentUser.getType().equals("BUYER")) { } if(currentUser != null && currentUser.getType().equals("SELLER")) { } if(currentUser != null && currentUser.getType().equals("ADMINISTRATOR")) { } } public void destroy() { // Not needed } }
如你所见,我在那里留下了评论。 有人可以给我一个完成这个filter的手或给我一些伪代码提示我应该如何完成它?
我在Web上看到了一些示例,但根据用户类型,它们都不会进行不同的过滤。
我很感激你的帮助:)
更新
我创建了一个xml文件来帮助我进行过滤(它位于WEB-INF / classes中)
buyoffer.xhtml faq.xhtml index.jsp login.xhtml main.xhtml registrationSucceded.xhtml sellerpanel.xhtml faq.xhtml index.jsp login.xhtml main.xhtml registrationSucceded.xhtml sellerpanel.xhtml faq.xhtml index.jsp login.xhtml main.xhtml registrationSucceded.xhtml
我从init()方法读取文件。()
public class RestrictPageFilter implements Filter { private FilterConfig fc; private InputStream in; public void init(FilterConfig filterConfig) throws ServletException { // The easiest way to initialize the filter fc = filterConfig; //Get the file that contains the allowed pages in = this.getClass().getResourceAsStream("/allowedpages.xml"); } public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { HttpServletRequest req = (HttpServletRequest) request; HttpServletResponse resp = (HttpServletResponse) response; HttpSession session = req.getSession(true); String pageRequested = req.getRequestURL().toString(); //Get the value of the current logged user Role currentUser = (Role) session.getAttribute("userRole"); if (currentUser != null) { } } public void destroy() { // Not needed } }
如果您需要允许访问只需调用
// it will process request normally, means it will leave the control from Filter chain.doFilter(request, response);
如果你想限制用户然后打电话
//take some action response.sendRedirect("URL to some page");//it will simply make user redirected
一些建议
-
使用某种属性XML文件进行配置,您的代码对我来说似乎很难,明天可能会添加另一个页面,因此您需要重新编译Filter。
-
如果允许那么简单地使用Spring Security它有很好的function。 你也不会再发明轮子了