版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
我们把报表服务做成单独应用,供其他应用调用。
主要解决不登录 就能在浏览器打开报表的问题,以提高报表安全性
原理:
Web应用提供的token验证,调用报表服务的时候,传递token值,每次打开birt报表,通过filter校验token是否合法。
解决办法:
所有报表展示都会通过frameset这个birt自带的servlet进行过滤,对frameset进行过滤即可
ps1:最早是想通过进入的页面report_test.jsp进行过滤,但这样,用户还是可以通过复制下一级别iframe的url(包括frameset?...)获取报表数据。
ps2:对应钻取的报表,birt设计文件,需要增加token参数,钻取的时候,也需要传递token参数,否则,钻取的报表也会报告权限不足。
(报表token参数设置)
(钻取报表设置token参数页面)
代码说明:
TokenFilter:
package com.tbyf.system;
import java.io.IOException;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import com.alibaba.fastjson.JSONObject;
import com.tbyf.dao.DaoTool1;
import com.tbyf.tools.HttpClientUtils;
/**
* 校验token
*/
public class TokenFilter implements Filter {
protected FilterConfig filterConfig;
protected String checkToken = "0"; //默认不检查
protected String checkTokenUrl="";
private static final String S_CHECK_TOKEN="1"; //检查token
private static final String S_OVER_TOKEN="0";
private static final String LEGAL_TOKEN="200";
/**
* Default constructor.
*/
public TokenFilter() {
// TODO Auto-generated constructor stub
}
/**
* @see Filter#destroy()
*/
public void destroy() {
// TODO Auto-generated method stub
}
/**
* @see Filter#doFilter(ServletRequest, ServletResponse, FilterChain)
*/
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
if(S_CHECK_TOKEN.equals(checkToken)){ //检查token
//读取token
String token=request.getParameter("token");
if(token==null || token.equals("")) {
response.setContentType("text / html; charset = utf-8");
request.getRequestDispatcher("refuse.html").forward(request,response);
}else {
//获取url参数
String url=checkTokenUrl;
url=url+"?token="+token;
String jsonStr="";
try {
//System.out.println("---------------url----:"+url);
//通过httpclient,进行token验证
jsonStr = HttpClientUtils.getInstance().httpGet(url);
//System.out.println("---------------jsonStr----:"+jsonStr);
//对结果集进行解析
JSONObject o = JSONObject.parseObject(jsonStr);
String code=o.getString("code");
//System.out.println("---------------code----:"+LEGAL_TOKEN.equals(code));
if(LEGAL_TOKEN.equals(code)){
//System.out.println("---------------chain.doFilter(request, response)----");
chain.doFilter(request, response);
//return;
}else { //token验证没有通过
response.setContentType("text / html; charset = utf-8");
request.getRequestDispatcher("refuse.html").forward(request,response);
}
} catch (Exception e) {
//System.out.println("---------------Exception----:");
e.printStackTrace();
response.setContentType("text / html; charset = utf-8");
request.getRequestDispatcher("refuse.html").forward(request,response);
}
}
}else {
chain.doFilter(request, response);
}
}
/**
* @see Filter#init(FilterConfig)
*/
public void init(FilterConfig fConfig) throws ServletException {
this.filterConfig = fConfig;
this.checkToken = filterConfig.getInitParameter("CheckToken");
System.out.println("检查token启动, checkToken:" + checkToken);
this.checkTokenUrl = filterConfig.getInitParameter("checkTokenUrl");
System.out.println("检查token启动, checkTokenUrl:" + checkTokenUrl);
}
}
对应的web.xml相关内容:
<filter>
<description>
</description>
<display-name>TokenFilter</display-name>
<filter-name>TokenFilter</filter-name>
<filter-class>com.tbyf.system.TokenFilter</filter-class>
<init-param>
<param-name>CheckToken</param-name>
<!--1就检查token 0 不检查-->
<param-value>1</param-value>
</init-param>
<init-param>
<param-name>checkTokenUrl</param-name>
<!--验证地址-->
<param-value>http://10.16.53.40:88/nowDate</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>TokenFilter</filter-name>
<!--<url-pattern>/report_test.jsp</url-pattern>-->
<url-pattern>/frameset</url-pattern>
<dispatcher>REQUEST</dispatcher>
</filter-mapping>
(web.xml内容)
httpclent工具类:
public String httpGet(String url, Map<String, String> headMap) {
String responseContent = null;
CloseableHttpClient httpclient = HttpClients.createDefault();
try {
HttpGet httpGet = new HttpGet(url);
CloseableHttpResponse response1 = httpclient.execute(httpGet);
setGetHead(httpGet, headMap);
try {
System.out.println(response1.getStatusLine());
HttpEntity entity = response1.getEntity();
responseContent = getRespString(entity);
System.out.println("debug:" + responseContent);
EntityUtils.consume(entity);
} finally {
response1.close();
}
} catch (Exception e) {
e.printStackTrace();
} finally {
try {
httpclient.close();
} catch (IOException e) {
e.printStackTrace();
}
}
return responseContent;
}
更新步骤:
报表服务增加过滤器,对token进行验证:
1、追加jar文件(jar文件夹下) --httpclient相关jar
2、追加/更新过滤器类TokenFilter ---过滤器类
3、追加tools下的 httpclient*等多个文件 --httpclient工具类
4、追加页面refuse.html --权限不足的提示页面
5、修改web.xml文件(见上面的代码)