本文只是描述了一个比较简单的入门级的权限过滤器
实际上更好的参考实现有两款产品:Apache的Shiro(其前身是JSecurity)和SpringSecurity
下面是Web工程中的web.xml
<?xml version="1.0" encoding="UTF-8"?> <web-app version="2.5" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"> <filter> <filter-name>AuthenticationFilter</filter-name> <filter-class>com.jadyer.Filter.AuthenticationFilter</filter-class> <init-param> <param-name>url</param-name> <param-value>/admin/login.jsp</param-value> </init-param> </filter> <filter-mapping> <filter-name>AuthenticationFilter</filter-name> <url-pattern>/admin/secure/*</url-pattern> </filter-mapping> <error-page> <error-code>404</error-code> <location>/WEB-INF/404.html</location> </error-page> <error-page> <error-code>500</error-code> <location>/WEB-INF/500.html</location> </error-page> <error-page> <exception-type>javax.servle.ServletException</exception-type> <location>/WEB-INF/error.html</location> </error-page> <error-page> <exception-type>java.lang.NullPointerException</exception-type> <location>/WEB-INF/error.html</location> </error-page> </web-app>
下面是用于权限验证的过滤器AuthenticationFilter.java
package com.jadyer.Filter; import java.io.IOException; import javax.servlet.Filter; import javax.servlet.FilterChain; import javax.servlet.FilterConfig; import javax.servlet.ServletException; import javax.servlet.ServletRequest; import javax.servlet.ServletResponse; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; /** * 权限验证 */ public class AuthenticationFilter implements Filter { private String url = "/"; //代表根目录 public void destroy() {} /** * 获取web.xml中设定的参数url的值 * @see 即读取web.xml中的<param-name>url</param-name> */ public void init(FilterConfig config) throws ServletException { url = config.getInitParameter("url"); } public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { //这两行的强制类型转换是必不可少的 HttpServletRequest req = (HttpServletRequest) request; HttpServletResponse res = (HttpServletResponse) response; //如果是普通用户或者管理员session已过期,则转到指定页面并返回,而不再执行下一个过滤链 if (null == req.getSession().getAttribute("guesbook.admin.username")) { res.sendRedirect(req.getContextPath() + url); } else { chain.doFilter(request, response); } } }