2

我用 GWT+requestfacotry(MVP)+GAE 创建了一个应用程序。有一些服务或方法暴露给 GWT 客户端,例如

1.create 
2.remove
3.query

我想将授权功能添加到“创建”和“删除”,而不是“查询”。我用 servlet 过滤器做到了:

 public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse,
      FilterChain filterChain) throws IOException, ServletException {
    UserService userService = UserServiceFactory.getUserService();
    HttpServletRequest request = (HttpServletRequest) servletRequest;
    HttpServletResponse response = (HttpServletResponse) servletResponse;

    if (!userService.isUserLoggedIn()) {

        response.setHeader("login", userService.createLoginURL(request.getHeader("pageurl")));
     // response.setHeader("login", userService.createLoginURL(request.getRequestURI()));
      response.sendError(HttpServletResponse.SC_UNAUTHORIZED);
      return; 
    } 

    filterChain.doFilter(request, response);
  }

我的问题是如何识别进来的请求(我的意思是请求将路由到哪个类和服务)?有一些头字段包含模块名称,但我不认为这是安全的方法。是否可以从 http 请求中获取 RequestFactry 相关类?

谢谢

4

1 回答 1

2

在 servlet-filter 中很难做到这一点。相反,您可以在 RF ServiceLayerDecorator 链中提供自定义装饰器。实现可能如下所示:

import com.google.web.bindery.requestfactory.server.ServiceLayerDecorator;

public class SecurityDecorator extends ServiceLayerDecorator {

  @Override
  public Object invoke( Method domainMethod, Object... args ) {
    if ( !isAllowed( domainMethod) ) {
      handleSecurityViolation();
    }
    return super.invoke( domainMethod, args );
  }
}

要注册附加装饰器,请提供自定义 RF servlet:

import com.google.web.bindery.requestfactory.server.RequestFactoryServlet;

public class SecurityAwareRequestFactoryServlet extends RequestFactoryServlet {

  public SecurityAwareRequestFactoryServlet() {
    super( new DefaultExceptionHandler(), new SecurityDecorator() );
  }
}

并将其注册到您的 web.xml 中:

<servlet>
    <servlet-name>gwtRequest</servlet-name>
    <servlet-class>com.company.SecurityAwareRequestFactoryServlet</servlet-class>
</servlet>
于 2012-07-18T08:53:20.913 回答