java中使用Filter控制用户登录权限具体实例

学jsp这么长时间，做的项目也有七八个了，可所有的项目都是用户登录就直接跳转到其拥有权限的页面，或者显示可访问页面的链接。使用这种方式来幼稚地控制访问权限。从来没有想过如果我没有登录，直接输入地址也可以直接访问用户的页面的。

在jsp中权限的控制是通过Filter过滤器来实现的，所有的开发框架中都集成有Filter，如果不适用开发框架则有如下实现方法：

LoginFilter.java

复制代码 代码如下:
public class LoginFilter implements Filter { 

    private String permitUrls[] = null; 

    private String gotoUrl = null; 

    public void destroy() { 

        // TODO Auto-generated method stub 

        permitUrls = null; 

        gotoUrl = null; 

    } 

    public void doFilter(ServletRequest request, ServletResponse response, 

            FilterChain chain) throws IOException, ServletException { 

        // TODO Auto-generated method stub 

        HttpServletRequest res=(HttpServletRequest) request; 

        HttpServletResponse resp=(HttpServletResponse)response; 

        if(!isPermitUrl(request)){ 

            if(filterCurrUrl(request)){ 

                System.out.println("--->请登录"); 

                resp.sendRedirect(res.getContextPath()+gotoUrl); 

                return; 

            } 

        } 

        System.out.println("--->允许访问"); 

        chain.doFilter(request, response); 

    } 

    public boolean filterCurrUrl(ServletRequest request){ 

        boolean filter=false; 

        HttpServletRequest res=(HttpServletRequest) request; 

        User user =(User) res.getSession().getAttribute("user"); 

        if(null==user) 

            filter=true; 

        return filter; 

    }       

    public boolean isPermitUrl(ServletRequest request) { 

        boolean isPermit = false; 

        String currentUrl = currentUrl(request); 

        if (permitUrls != null && permitUrls.length > 0) { 

            for (int i = 0; i < permitUrls.length; i++) { 

                if (permitUrls[i].equals(currentUrl)) { 

                    isPermit = true; 

                    break; 

                } 

            } 

        } 

        return isPermit; 

    }        

    //请求地址 

    public String currentUrl(ServletRequest request) {   

        HttpServletRequest res = (HttpServletRequest) request; 

        String task = request.getParameter("task"); 

        String path = res.getContextPath(); 

        String uri = res.getRequestURI(); 

        if (task != null) {// uri格式 xx/ser 

            uri = uri.substring(path.length(), uri.length()) + "?" + "task="

                    + task; 

        } else { 

            uri = uri.substring(path.length(), uri.length()); 

        } 

        System.out.println("当前请求地址:" + uri); 

        return uri; 

    } 

    public void init(FilterConfig filterConfig) throws ServletException { 

        // TODO Auto-generated method stub 

        String permitUrls = filterConfig.getInitParameter("permitUrls"); 

        String gotoUrl = filterConfig.getInitParameter("gotoUrl"); 

        this.gotoUrl = gotoUrl; 

        if (permitUrls != null && permitUrls.length() > 0) { 

            this.permitUrls = permitUrls.split(","); 

        } 

    } 

}

Web.xml

复制代码 代码如下:
 

    loginFilter 

    filter.LoginFilter 

        ignore 

        false 

        permitUrls 

        /,/servlet/Loginservlet?task=login,/public.jsp,/login.jsp 

        gotoUrl 

        /login.jsp 

    loginFilter 

    /* 

这短代码主要实现了用户登录的过滤，权限过滤原理相同。只需要把判断用户是否登录换成是否有权限就可以了！