我想为我的网络应用程序创建一个授权过滤器(以便能够限制对某些页面的访问).
我创建了一个简单的.xml文件,其中包含允许每个用户访问的页面:
- <access>
- <buyer>
- <page>buyoffer.xhtml</page>
- <page>faq.xhtml</page>
- <page>index.jsp</page>
- <page>login.xhtml</page>
- <page>main.xhtml</page>
- <page>registrationSucceded.xhtml</page>
- </buyer>
- <seller>
- <page>sellerpanel.xhtml</page>
- <page>faq.xhtml</page>
- <page>index.jsp</page>
- <page>login.xhtml</page>
- <page>main.xhtml</page>
- <page>registrationSucceded.xhtml</page>
- </seller>
- <administrator>
- <page>sellerpanel.xhtml</page>
- <page>faq.xhtml</page>
- <page>index.jsp</page>
- <page>login.xhtml</page>
- <page>main.xhtml</page>
- <page>registrationSucceded.xhtml</page>
- </administrator>
- </access>
然后我需要进行解析以提取页面的值,以便能够创建允许或重定向的条件(依赖).我只需要告诉某人如何从xml中提取这些页面的值.这就是我现在所做的:
- public class RestrictPageFilter implements Filter {
- private FilterConfig fc;
- private DocumentBuilder builder;
- private Document document;
- public void init(FilterConfig filterConfig) throws ServletException {
- // The easiest way to initialize the filter
- fc = filterConfig;
- // Get the file that contains the allowed pages
- File f = new File("/allowedpages.xml");
- // Prepare the file parsing
- try {
- builder = DocumentBuilderFactory.newInstance().newDocumentBuilder();
- document = builder.parse(f);
- } catch (ParserConfigurationException e) {
- e.printStackTrace();
- } catch (SAXException e) {
- e.printStackTrace();
- } catch (IOException e) {
- e.printStackTrace();
- }
- }
- public void doFilter(ServletRequest request,ServletResponse response,FilterChain chain) throws IOException,ServletException {
- HttpServletRequest req = (HttpServletRequest) request;
- HttpServletResponse resp = (HttpServletResponse) response;
- HttpSession session = req.getSession(true);
- String pageRequested = req.getRequestURL().toString();
- // Get the value of the current logged user
- Role currentUser = (Role) session.getAttribute("userRole");
- if (currentUser != null) {
- if(currentUser.getType().equals("BUYER")) {
- //Loop BUYER Element of the .xml
- //if pageRequested.contains(value of the page at buyer element)
- // chain.doFilter(request,response);
- // Else
- // Redirect the user to the main page
- }
- else if(currentUser.getType().equals("SELLER")) {
- //Same as above just for seller element
- }
- else if(currentUser.getType().equals("ADMINISTRATOR")) {
- //Same as above just for administrator element
- }
- }
- }
- public void destroy() {
- // Not needed
- }
- }
在doFilter方法内部的注释中解释了我需要做什么.有人可以给我一个提示,我应该如何遍历文件来查找每个用户类型的页面名称?我尝试从互联网上关注JAXP示例,但它们比我需要的更复杂.
更新
xml存储在WEB-INF / classes中
而是使用JAXB. JAXP是一个古老且非常详细的API. JAXB倾向于Javabeans,因此干净且相对容易.首先创建一个Javabean,它使用javax.xml.bind注释将1:1映射到XML文件.
- @XmlRootElement
- public class Access {
- @XmlElement
- private User buyer;
- @XmlElement
- private User seller;
- @XmlElement
- private User administrator;
- public User getBuyer() {
- return buyer;
- }
- public User getSeller() {
- return seller;
- }
- public User getAdministrator() {
- return administrator;
- }
- public static class User {
- @XmlElement(name="page")
- private List<String> pages;
- public List<String> getPages() {
- return pages;
- }
- }
- }
然后执行以下部分来映射它(假设allowedpages.xml放在类路径的根目录中).
- InputStream input = Thread.currentThread().getContextClassLoader().getResourceAsStream("allowedpages.xml");
- Access access = (Access) JAXBContext.newInstance(Access.class).createUnmarshaller().unmarshal(input);
请注意,您不应该为此使用新的File().另见getResourceAsStream() vs FileInputStream.
最后,您可以访问所有买家页面,如下所示:
- List<String> buyerPages = access.getBuyer().getPages();
- // ...
毋庸置疑,养老保障并不总是最佳做法. Java EE 6附带容器管理的安全性.
