Struts2使用过滤器和拦截器进行简单权限校验

在一些用到用户登录的目录应该进行权限判断，以防非法登录，我在这里进行一个简单的权限校验。

1.使用过滤器进行/admin 目录下jsp页面的过滤，首先在web.xml进行过滤器配置:

<filter>
<filter-name>access filter</filter-name>
<filter-class>
com.test.news.util.AccessFilter
</filter-class>
</filter>
<filter-mapping>
<filter-name>access filter</filter-name>
<url-pattern>/admin/*</url-pattern>
</filter-mapping>
下面是过滤的实现类:

package com.test.news.util;

import java.io.IOException;

import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;

public class AccessFilter implements Filter {

/**
* @author chaoyin
*/

public void destroy() {

}

public void doFilter(ServletRequest arg0, ServletResponse arg1,
FilterChain filterChain) throws IOException, ServletException {
HttpServletRequest request = (HttpServletRequest)arg0;
HttpServletResponse response = (HttpServletResponse)arg1;
HttpSession session = request.getSession();
if(session.getAttribute("user")== null && request.getRequestURI().indexOf("login.jsp")==-1 ){
response.sendRedirect("login.jsp");
return ;
}
filterChain.doFilter(arg0, arg1);

}

public void init(FilterConfig arg0) throws ServletException {

}

}

这样/admin 目录下需经过login.jsp这个页面才能正常访问。

2.使用Struts2的拦截器功能进行.action的过滤，主要是校验那些与后台管理相关的action,首先在struts.xml中进行拦截器的配置:

<package name="newsDemo" extends="struts-default"
namespace="/admin">
<interceptors>
<interceptor name="auth" class="com.test.news.util.AccessInterceptor" />
<interceptor-stack name="authStack">
<interceptor-ref name="auth" />
</interceptor-stack>
</interceptors>
<!-- action -->
<action name="newsAdminView!*" class="newsAction"
method="{1}">
<interceptor-ref name="defaultStack"/>
<interceptor-ref name="authStack">
</interceptor-ref>
下面是我实现的Interceptor class:

package com.test.news.util;

import java.util.Map;

import com.opensymphony.xwork2.ActionContext;
import com.opensymphony.xwork2.ActionInvocation;
import com.opensymphony.xwork2.interceptor.AbstractInterceptor;
import com.test.news.action.AdminLoginAction;

/**
* @author chaoyin
*/

public class AccessInterceptor extends AbstractInterceptor {

private static final long serialVersionUID = -4291195782860785705L;

@Override
public String intercept(ActionInvocation actionInvocation) throws Exception {
ActionContext actionContext = actionInvocation.getInvocationContext();
Map session = actionContext.getSession();

//except login action
Object action = actionInvocation.getAction();
if (action instanceof AdminLoginAction) {
return actionInvocation.invoke();
}
//check session
if(session.get("user")==null ){
return "logout";
}
return actionInvocation.invoke();//go on
}

}

这样只保留了login action其它的与管理相关的acton都会被拦截.

最后，输入一些与/admin 下login以外的jsp或是action都将被转到login.jsp页面。