Today I wrote a simple system using ssh2 and found a problem. My system must be logged in successfully before I can enter the home page. However, I directly entered the home page address in the browser and found that I could also enter. This is definitely not good and has no security at all. After checking the information, I found that I needed to log in to the filter. I tried it and found that it can indeed avoid the danger of entering the home page without logging in. Below are the detailed steps I have compiled:
1. First write a permission filter class to implement the Filter interface
import java.io.IOException;import javax.servlet.Filter;import javax.servlet.FilterChain;import javax.servlet.FilterConfig;import javax.servlet.ServletException;import javax.servlet.ServletRequest;import javax.servlet.ServletResponse;import javax.servlet.http.HttpServletRequest;import javax.servlet.http.HttpServletResponse;import javax.servlet.http.HttpSession;public class LoginFilter implements Filter { @Override public void init(FilterConfig filterConfig) throws ServletException { // TODO Auto-generated method stub } @Override public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { // Get the request, response, session object to be used in the following code HttpServletRequest servletRequest = (HttpServletRequest) request; HttpServletResponse servletResponse = (HttpServletResponse) response; HttpSession session = servletRequest.getSession(); // Get the URI requested by the user String path = servletRequest.getRequestURI(); //System.out.println(path); // Get the employee work number information from the session String empId = (String) session.getAttribute("empId"); /*Create the class Constants.java, which says page without filtering for (int i = 0; i < Constants.NoFilter_Pages.length; i++) { if (path.indexOf(Constants.NoFilter_Pages[i]) > -1) { chain.doFilter(servletRequest, servletResponse); return; } }*/ // No filtering required for login page if(path.indexOf("/login.jsp") > -1) { chain.doFilter(servletRequest, servletResponse); return; } // Judgment: If no employee information is retrieved, jump to the login page if (empId == null || "".equals(empId)) { // Jump to the login page servletResponse.sendRedirect("/JingXing_OA/login.jsp"); } else { // Login, continue this request chain.doFilter(request, response); } } @Override public void destroy() { // TODO Auto-generated method stub }}2. Then configure the JSP file that requires login permission verification in web.xml:
a. If it is a specific JSP file (such as a.jsp) you need to log in and verify
<!-- Configure login filter--><filter> <filter-name>login</filter-name> <filter-class>com.jingxing.oa.filter.LoginFilter</filter-class> </filter> <filter-mapping> <filter-name>login</filter-name> <url-pattern>/*</url-pattern></filter-mapping>
b. If it is a directory (such as a/ directory), files in the entire directory need to be logged in and verified:
<!-- Configure login filter--> <filter> <filter-name>login</filter-name> <filter-class>com.jingxing.oa.filter.LoginFilter</filter-class> </filter> <filter-mapping> <filter-name>login</filter-name> <url-pattern>/a/*</url-pattern> </filter-mapping>
The above is the Java web filter verification login to prevent login from entering the interface that I introduced to you. I hope it will be helpful to you. If you have any questions, please leave me a message and the editor will reply to you in time. Thank you very much for your support to Wulin.com website!