0

所以我正在编写一个拦截器,所以当用户尝试访问一个没有被登录的页面时,他会被发送回登录。事情是我的过滤器是检查用户是否登录的条件总是正确的,最糟糕的是;它还拦截资源(css、图像、js)那么我应该如何更改我的过滤器才能正常工作?这是我的代码:

@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) 
        throws IOException, ServletException {
     try {
        // check whether session variable is set
        HttpServletRequest req = (HttpServletRequest) request;
        HttpServletResponse res = (HttpServletResponse) response;
        boolean estaLoggeado = false;
        if (req.getSession().getAttribute("estaLoggeado") != null) {
            estaLoggeado = new Boolean("" + req.getSession().getAttribute("estaLoggeado"));
        }
        //  allow user to proccede if url is login.xhtml or user logged in or user is accessing any page in //public folder
        String reqURI = req.getRequestURI();
        System.out.println(reqURI);
        System.out.println("index: " + reqURI.indexOf("/index.xhtml"));
        System.out.println("pages: " + reqURI.indexOf("/pages/"));
        System.out.println("resources: " + reqURI.contains("javax.faces.resource"));
        System.out.println("log: " + estaLoggeado);
        if ((reqURI.indexOf("/index.xhtml") >= 0 || reqURI.indexOf("/pages/") >= 0 || reqURI.contains("javax.faces.resource"))) {
            System.out.println("Si");
            chain.doFilter(request, response);
        } else {   // user didn't log in but asking for a page that is not allowed so take user to login page
            System.out.println("No");
            res.sendRedirect(req.getContextPath() + "/pages/index.xhtml");  // Anonymous user. Redirect to login page
        }
     } catch(Throwable t) {
        System.out.println(t.getMessage());
    }
} //doFilter

提前致谢!!

4

1 回答 1

1

你忘了签estaLoggeadoif()块。换句话说,您永远不会真正检查用户是否已登录。您只是打印到 stdout 用户是否已登录。

总而言之,这个过滤器的逻辑相当笨拙。对URIcontains()的检查非常差(注意indexOf(part) >= 0实际上与 完全相同contains(part))。如果该部分位于 URL 的开头、中间或结尾怎么办?您应该执行精确/开始/结束匹配。

这是一个重写:

@Override
public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws ServletException, IOException {    
    HttpServletRequest request = (HttpServletRequest) req;
    HttpServletResponse response = (HttpServletResponse) res;
    HttpSession session = request.getSession(false);
    String loginURL = request.getContextPath() + "/pages/index.xhtml";

    boolean loggedIn = (session != null) && (session.getAttribute("estaLoggeado") != null);
    boolean loginRequest = request.getRequestURI().equals(loginURL);
    boolean resourceRequest = request.getRequestURI().startsWith(request.getContextPath() + ResourceHandler.RESOURCE_IDENTIFIER + "/");

    if (loggedIn || loginRequest || resourceRequest)) {
        chain.doFilter(request, response); // So, just continue request.
    }
    else {
        response.sendRedirect(loginURL); // So, redirect to login page.
    }
}

(作为旁注:我建议替换estaLoggeadouser(或者usuario如果您确实需要使非英语人无法阅读您的代码),以便它代表整个用户,而不仅仅是一个无用的“标志”)

请注意,这不包括 ajax 请求。当会话在提交 JSF ajax 表单期间过期时,重定向将失败且没有视觉反馈。对于更扩展的过滤器,请访问以下答案:会话到期时的授权重定向在提交 JSF 表单时不起作用,页面保持不变

于 2013-10-31T18:42:34.020 回答