拦截器示例 ： 实现权限控制

权限检查，当浏览者需要请求执行某个操作时，应用首先需要检查浏览者是否登录，以及是否有足够的权限来执行该操作

6.1 实现拦截器

本示例应用要求用户登录，且必须为指定用户名才可以查看系统中某个视图资源： 否则，系统直接转入登录页面。

对于上述的需求，可以在每个 Action 的执行实际处理逻辑之前，先执行权限检查逻辑，为了代码复用，可以使用拦截器。

个人认为判断 session 用 过滤器比较好 如下：

web.xml

Xml代码

<filter>
<filter-name>SessionInvalidate</filter-name>
<filter-class>com.sysoft.baselib.web.SessionCheckFilter</filter-class>
<init-param>
<param-name>checkSessionKey</param-name>
<param-value>APP_SESSION_TOKEN</param-value>
</init-param>
<init-param>
<param-name>redirectURL</param-name>
<param-value>/sessionInvalidate.jsp</param-value>
</init-param>
<init-param>
<param-name>notCheckURLList</param-name>
<param-value>/login.jsp,/logon.do,/logout.jsp,/Index2/index.jsp,/sessionInvalidate.jsp,/Index2/maintop.jsp,/html.jsp</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>SessionInvalidate</filter-name>
<url-pattern>*.do</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>SessionInvalidate</filter-name>
<url-pattern>*.jsp</url-pattern>
</filter-mapping>

SessionCheckFilter.java

Java代码

package com.sysoft.baselib.web;

import java.io.IOException;
import java.util.HashSet;
import java.util.Set;

import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
/**
* 用于检测用户是否登陆的过滤器，如果未登录，则重定向到指的登录页面
* 配置参数
* checkSessionKey 需检查的在 Session 中保存的关键字
* redirectURL 如果用户未登录，则重定向到指定的页面，URL不包括 ContextPath
* notCheckURLList 不做检查的URL列表，以分号分开，并且 URL 中不包括 ContextPath
*/
public class SessionCheckFilter implements Filter {
protected FilterConfig filterConfig = null;
private String redirectURL = null;
private Set notCheckURLList = new HashSet();
private String sessionKey = null;

public void doFilter(ServletRequest servletRequest,
ServletResponse servletResponse, FilterChain filterChain)
throws IOException, ServletException {
HttpServletRequest request = (HttpServletRequest) servletRequest;
HttpServletResponse response = (HttpServletResponse) servletResponse;

HttpSession session = request.getSession();
if (sessionKey == null) {
filterChain.doFilter(request, response);
return;
}
if ((!checkRequestURIIntNotFilterList(request))
&& session.getAttribute(sessionKey) == null) {
response.sendRedirect(request.getContextPath() +redirectURL);
return;
}
filterChain.doFilter(servletRequest, servletResponse);
}

public void destroy() {
notCheckURLList.clear();
}

private boolean checkRequestURIIntNotFilterList(HttpServletRequest request) {
String uri = request.getServletPath()
+ (request.getPathInfo() == null ? "" : request.getPathInfo());
String temp = request.getRequestURI();
temp= temp.substring(request.getContextPath().length()+1);
//System.out.println("是否包括："+uri+";"+notCheckURLList+"=="+notCheckURLList.contains(uri));
return notCheckURLList.contains(uri);

}

public void init(FilterConfig filterConfig) throws ServletException {
this.filterConfig = filterConfig;
redirectURL = filterConfig.getInitParameter("redirectURL");
sessionKey = filterConfig.getInitParameter("checkSessionKey");

String notCheckURLListStr = filterConfig
.getInitParameter("notCheckURLList");
if(notCheckURLListStr != null){
System.out.println(notCheckURLListStr);
String[] params = notCheckURLListStr.split(",");
for(int i=0;i<params.length;i++){
notCheckURLList.add(params[i].trim());
}
}

}
}

检查用户是否登录，通常都是通过跟踪用户的 HTTPSession 来完成的，通过 ActionContext 即可访问到 Session 中的属性，拦截器的 intercepte(ActionInvocation invocation) 的 invocation 参数可以访问到请求相关的 ActionContext 实例