Java过滤器用于重定向未登录到登录页面的用户

Question

I was trying to make a filter to stop users who are not logged in from accessing certain pages.For this i made a filter class with the following doFilter method

HttpServletRequest request = (HttpServletRequest) req;
HttpServletResponse response = (HttpServletResponse) res;
String url = request.getRequestURI();
boolean allowedRequest = false;

System.out.println(url);

if(urlList.contains(url)) {
    allowedRequest = true;
    System.out.println("in list");
}

if (!allowedRequest) {
    Object o = request.getSession().getAttribute("UserInfo");
    if (null == o) {
        System.out.println("Hey i am in");
        response.sendRedirect("/login.jsp");
    }
}

chain.doFilter(req, res);

} // end of doFilter

To allow the pages which doesnot need the user to be logged in i created an arraylist url-list in init()

Now a very strange stupid thing is happening. suppose i have two pages home.jsp and dcr.jsp. When i try to access home.jsp without logging in the i am successfully redirected to login.jsp but when i am trying to access dcr.jsp it is not redirected although it enters the loop if(null == o) which i can understand because i am getting that line printed in console.THis is the output that i get in the server This is the output that i get in the server

/dcrmaintenance.jsp

Hey i am in

Which tells me that the null == o was true.

The page dcr.jsp accesses a session object and since the user is not logged in it is getting java.lang.NullPointerException as expected but i cannot understand why is the redirection not taking place even after entering the loop.If someone can pt out where i am making a mistake it would be appreciated.

Answer 1

After response.sendRedirect("/login.jsp"); do return; .

Answer 2

I believe that you should either invoke sendRedirect OR doFilter. Eg

if (requiresLogin)
  response.sendRedirect("/login.jsp");
else
  chain.doFilter(req,resp);

Answer 3

chain.doFilter(req, res);

What other filters are running in your Application? You send the redirect, but continue with the filter chain. I guess another filter is modifying the response again. If you stay with your filter, just return after the redirect.

Instead of the filter, in an Java WebApp you can define your Security Constraints in the web.xml. Have a look on Security Constraints .

Short example:

<security-constraint>
  <web-resource-collection>
     <web-resource-name>Restricted Area</web-resource-name>
     <url-pattern>*</url-pattern>
  </web-resource-collection>
  <auth-constraint>
     <role-name>Authorized</role-name>
  </auth-constraint>
</security-constraint>

Answer 4

I think you have to change your web.xml... You have to put your restricted resources to appropriate folder. In this way Filter Servlet will restrict files which allocates in "restricted" folder.( http://www.developer.com/security/article.php/3467801/Securing-J2EE-Applications-with-a-Servlet-Filter.htm ) (And I think the reason of using Filter Servlet is writing own Authorization system. - in this way you have not to define your Security Constraints in the web.xml, you have to define it in Data Base ;))) )

<!--Servlet Filter that handles site authorization.-->
<filter>
     <filter-name>AuthorizationFilter</filter-name>
     <filter-class>examples.AuthorizationFilter</filter-class>
     <description>This Filter authorizes user access to application
                  components based upon request URI.</description>
     <init-param>
        <param-name>error_page</param-name>
        <param-value>../../login.html</param-value>
     </init-param>
</filter>

<filter-mapping>
     <filter-name>AuthorizationFilter</filter-name>
     <url-pattern>/restricted/*</url-pattern>
</filter-mapping>