背景:
我们做的页面是嵌套在营销系统中,所以没有登录界面,造成了直接访问 ip:port/地址可以进入,这样造成了安全隐患
思路;
想到了加上过滤器,在用户登录成功之后,才授权登录访问页面(当用户登录成功后,将用户信息存在session中,过滤器判断当session中有用户信息才可放行)
添加过程:
1.首先在web.xml中添加过滤器配置
其中url-pattern 为限制的范围,根据实际情况填写即可
2.将用户信息存到session中
找到用户登录才会跳转的界面,将session中的数据获取到,并传入此系统tomcat的session中
<form action="${pageContext.request.contextPath }/login/loginIn.do" method="post">
<input type="hidden" name="loginNo" value="${param.loginNo}" />
<input type="hidden" name="loginName" value="${param.loginName}" />
<input type="hidden" name="regionCode" value="${param.regionCode}" />
<input type="hidden" name="userId" value="${param.userId}" />
<input type="hidden" name="staffId" value="${param.staffId}" />
<input type="hidden" name="forwordUrl" value="${param.forwordUrl}" />
<input type="hidden" name="param" value="${param.param}" />
</form>
@RequestMapping("/loginIn.do")
public String loginIn(HttpServletRequest request, HttpSession session, ModelAndView mdv)
throws UnsupportedEncodingException {
String forwordUrl = request.getParameter("forwordUrl") != null ? request.getParameter("forwordUrl") : "ahTelecom/login/error";
try {
// 工号信息
session.setAttribute("loginNo", request.getParameter("loginNo") != null ? request.getParameter("loginNo") : "sys");
session.setAttribute("loginName", request.getParameter("loginName") != null ? request.getParameter("loginName") : "sys");
session.setAttribute("regionCode", request.getParameter("regionCode") != null ? request.getParameter("regionCode") : "0");
session.setAttribute("userId", request.getParameter("userId") != null ? request.getParameter("userId") : "9999");
session.setAttribute("staffId", request.getParameter("staffId") != null ? request.getParameter("staffId") : "9999");
// 生成token
String token = randomGUID.toString();
// 将token放入session
session.setAttribute("token", token);
return forwordUrl;
}catch (Exception e) {
return "ahTelecom/login/error";
}
}
3.在过滤器中配置
@Override
public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException {
HttpServletRequest request = (HttpServletRequest) req;
HttpServletResponse response = (HttpServletResponse) res;
HttpSession session = request.getSession();
// String loginNo = request.getParameter("loginNo");
String loginNo = (String) session.getAttribute("loginNo");
String requestURI = request.getRequestURI();
System.out.println("requestURI="+requestURI);
System.out.println("loginNo="+loginNo);
if(loginNo!=null && !"".equals(loginNo)){
chain.doFilter(request, response);
return;
}
//chain.doFilter(request, response);
}
这样就完成了对登录的限制