我想为我的网络应用程序创建一个授权过滤器(以便能够限制对某些页面的访问).
我创建了一个简单的.xml文件,其中包含允许每个用户访问的页面:
<access>
<buyer>
<page>buyoffer.xhtml</page>
<page>faq.xhtml</page>
<page>index.jsp</page>
<page>login.xhtml</page>
<page>main.xhtml</page>
<page>registrationSucceded.xhtml</page>
</buyer>
<seller>
<page>sellerpanel.xhtml</page>
<page>faq.xhtml</page>
<page>index.jsp</page>
<page>login.xhtml</page>
<page>main.xhtml</page>
<page>registrationSucceded.xhtml</page>
</seller>
<administrator>
<page>sellerpanel.xhtml</page>
<page>faq.xhtml</page>
<page>index.jsp</page>
<page>login.xhtml</page>
<page>main.xhtml</page>
<page>registrationSucceded.xhtml</page>
</administrator>
</access>
然后我需要进行解析以提取页面的值,以便能够创建允许或重定向的条件(依赖).我只需要告诉某人如何从xml中提取这些页面的值.这就是我现在所做的:
public class RestrictPageFilter implements Filter {
private FilterConfig fc;
private DocumentBuilder builder;
private Document document;
public void init(FilterConfig filterConfig) throws ServletException {
// The easiest way to initialize the filter
fc = filterConfig;
// Get the file that contains the allowed pages
File f = new File("/allowedpages.xml");
// Prepare the file parsing
try {
builder = DocumentBuilderFactory.newInstance().newDocumentBuilder();
document = builder.parse(f);
} catch (ParserConfigurationException e) {
e.printStackTrace();
} catch (SAXException e) {
e.printStackTrace();
} catch (IOException e) {
e.printStackTrace();
}
}
public void doFilter(ServletRequest request,ServletResponse response,FilterChain chain) throws IOException,ServletException {
HttpServletRequest req = (HttpServletRequest) request;
HttpServletResponse resp = (HttpServletResponse) response;
HttpSession session = req.getSession(true);
String pageRequested = req.getRequestURL().toString();
// Get the value of the current logged user
Role currentUser = (Role) session.getAttribute("userRole");
if (currentUser != null) {
if(currentUser.getType().equals("BUYER")) {
//Loop BUYER Element of the .xml
//if pageRequested.contains(value of the page at buyer element)
// chain.doFilter(request,response);
// Else
// Redirect the user to the main page
}
else if(currentUser.getType().equals("SELLER")) {
//Same as above just for seller element
}
else if(currentUser.getType().equals("ADMINISTRATOR")) {
//Same as above just for administrator element
}
}
}
public void destroy() {
// Not needed
}
}
在doFilter方法内部的注释中解释了我需要做什么.有人可以给我一个提示,我应该如何遍历文件来查找每个用户类型的页面名称?我尝试从互联网上关注JAXP示例,但它们比我需要的更复杂.
更新
xml存储在WEB-INF / classes中
而是使用JAXB. JAXP是一个古老且非常详细的API. JAXB倾向于Javabeans,因此干净且相对容易.首先创建一个Javabean,它使用javax.xml.bind注释将1:1映射到XML文件.
@XmlRootElement
public class Access {
@XmlElement
private User buyer;
@XmlElement
private User seller;
@XmlElement
private User administrator;
public User getBuyer() {
return buyer;
}
public User getSeller() {
return seller;
}
public User getAdministrator() {
return administrator;
}
public static class User {
@XmlElement(name="page")
private List<String> pages;
public List<String> getPages() {
return pages;
}
}
}
然后执行以下部分来映射它(假设allowedpages.xml放在类路径的根目录中).
InputStream input = Thread.currentThread().getContextClassLoader().getResourceAsStream("allowedpages.xml");
Access access = (Access) JAXBContext.newInstance(Access.class).createUnmarshaller().unmarshal(input);
请注意,您不应该为此使用新的File().另见getResourceAsStream() vs FileInputStream.
最后,您可以访问所有买家页面,如下所示:
List<String> buyerPages = access.getBuyer().getPages(); // ...
毋庸置疑,养老保障并不总是最佳做法. Java EE 6附带容器管理的安全性.
