如何在不使用Java身份验证的情况下停止直接访问网页(自定义标签)
[英]how can i stop direct access to web pages without authentication in java (Custom Tag)
问题描述
I am using MVC (custom tag) and i want to know how to restrict direct access to the application pages unless authenticated, I tried using a filter but am running into a problem that it blocks the access to the login page itself, i want every user to access login page and only after authentication he gets access to other pages. 
我正在使用MVC(自定义标签),并且我想知道如何限制对应用程序页面的直接访问,除非经过身份验证,我尝试使用过滤器,但是遇到了一个问题,即它阻止了对登录页面本身的访问,我希望每一个用户访问登录页面,只有经过身份验证后,他才能访问其他页面。 please tell me wat changes i need to make in my code ? 请告诉我我需要在代码中进行的wat更改?
inside Myjsp folder i have all the .jsp pages (\\Tomcat 6.0\\webapps\\Myjsp) and class files are inside classes/pack/java 在Myjsp文件夹中,我具有所有.jsp页(\\ Tomcat 6.0 \\ webapps \\ Myjsp),并且类文件位于classes / pack / java中
Below is the filter: 以下是过滤器:
package pack.java;
import java.io.*;
import javax.servlet.*;
public class loginfilter implements Filter {
String aa;
public void destroy() {
}
public void doFilter(ServletRequest request, ServletResponse response,
FilterChain chain) throws IOException, ServletException {
aa = request.getRequestURI();
chain.doFilter(request, response);
}
public void init(FilterConfig fconfig) throws ServletException {
}
}
Web.xml entry: Web.xml条目:
<filter>
<filter-name>loginfilter</filter-name>
<filter-class>pack.java</filter-class>
</filter>
<filter-mapping>
<filter-name>loginfilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
1 个解决方案
解决方案1
1 2014-03-27 20:08:39
I've been with the same problem recently. 我最近也遇到过同样的问题。 So, I found out that there are two ways you can do this. 因此,我发现有两种方法可以执行此操作。 The first one is to use tools provided by the application server that allow you to authenticate all the users that want to access those pages. 第一个是使用应用程序服务器提供的工具,这些工具使您可以对要访问这些页面的所有用户进行身份验证。 I only tried this solution with JBOSS AS7 and it works fine, but I think the others also allow you to do this, here's a link that explains you how to do this in general, then you just need to adapt it to your application server http://docs.oracle.com/javaee/6/tutorial/doc/gijrp.html . 我只在JBOSS AS7上尝试过该解决方案,并且效果很好,但我认为其他方法也可以使您执行此操作,以下链接通常向您说明如何执行此操作,然后只需将其调整为适合您的应用程序服务器http ://docs.oracle.com/javaee/6/tutorial/doc/gijrp.html 。
But, sometimes you need to have more control about the authentication and not be dependent on this type of authentication (in my case I also allowed the clients to be authenticated via facebook or gmail accounts), so the solution is to use a filter that only filters the calls to a private page (that requires authentication). 但是,有时您需要对身份验证进行更多控制,而不要依赖于这种身份验证类型(在我的情况下,我还允许通过Facebook或gmail帐户对客户端进行身份验证),因此解决方案是使用仅将呼叫过滤到私有页面(需要身份验证)。 From what I see your loggin filter is currently filtering all your pages (including the login page) since you have this: 从我看到的结果来看,您的loggin过滤器当前正在过滤所有页面(包括登录页面),因为您具有以下功能:
<url-pattern>/*</url-pattern>
To solve this problem I suggest you to organize your pages into two folders, one contains the public files and the other the private ones, then you can just put this: 为了解决此问题,我建议您将页面组织到两个文件夹中,一个包含公共文件,另一个包含私有文件,然后可以将其放置:
<url-pattern>/private_pages/*</url-pattern>
The login page and all the others will be in the public_pages folder. 登录页面和其他所有页面都将位于public_pages文件夹中。 Also the filter is doing nothing yet, so you will need to get the http session attributes and find whether the user is authenticated or not (and then allow him to see the page or redirect him to the login page). 此外,过滤器还没有执行任何操作,因此您将需要获取http会话属性,并确定用户是否已通过身份验证(然后允许他查看该页面或将其重定向到登录页面)。 Here are the links for some of my posts while I was investigating the same as you: - User authentication with J2EE - Authentication with Java EE - Session Tracking using J2EE 以下是我和您进行调查时一些帖子的链接:- 使用J2EE进行用户身份验证 - 使用Java EE进行身份验证 - 使用J2EE进行会话跟踪
Hope to be useful. 希望有用。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.