I\'ve a filter used for the login. It performs a textual checking, on fields \"Username\" and \"Password\". If and only if the textual checking is correctly done the request goes to the Servlet. This latter performs the control that has to interact with the Database. Is this chain correct?
可以将文章内容翻译成中文,广告屏蔽插件可能会导致该功能失效(如失效,请关闭广告屏蔽插件后再试):
问题:
回答1:
Preface: I gather you\'re using homegrown login instead of container managed login. For all ways, see How to handle authentication/authorization with users in a database?
The filter (the interceptor) shouldn\'t check the validity of the username/password combo. That\'s the responsibility of the servlet (the controller).
The filter should merely check if the user is logged-in or not (usually by just checking the presence of a session attribute) and then continue the request or block it by redirecting back to the login page.
@WebFilter(\"/*\")
public class LoginFilter implements Filter {
@Override
public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws ServletException, IOException {
HttpServletRequest request = (HttpServletRequest) req;
HttpServletResponse response = (HttpServletResponse) res;
HttpSession session = request.getSession(false);
String loginURI = request.getContextPath() + \"/login\";
boolean loggedIn = session != null && session.getAttribute(\"user\") != null;
boolean loginRequest = request.getRequestURI().equals(loginURI);
if (loggedIn || loginRequest) {
chain.doFilter(request, response);
} else {
response.sendRedirect(loginURI);
}
}
// ...
}
The servlet should collect the submitted data, find the associated User
in database and if found then store it as a session attribute and then redirect to the home page, else redisplay the form with validation errors.
@WebServlet(\"/login\")
public class LoginServlet extends HttpServlet {
@EJB
private UserService userService;
@Override
protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
request.getRequestDispatcher(\"/WEB-INF/login.jsp\").forward(request, response);
}
@Override
protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
String username = request.getParameter(\"username\");
String password = request.getParameter(\"password\");
Map<String, String> messages = new HashMap<String, String>();
if (username == null || username.isEmpty()) {
messages.put(\"username\", \"Please enter username\");
}
if (password == null || password.isEmpty()) {
messages.put(\"password\", \"Please enter password\");
}
if (messages.isEmpty()) {
User user = userService.find(username, password);
if (user != null) {
request.getSession().setAttribute(\"user\", user);
response.sendRedirect(request.getContextPath() + \"/home\");
return;
} else {
messages.put(\"login\", \"Unknown login, please try again\");
}
}
request.setAttribute(\"messages\", messages);
request.getRequestDispatcher(\"/WEB-INF/login.jsp\").forward(request, response);
}
}
See also:
- Our servlet-filters wiki page
- Our servlets wiki page
Ta的文章
更多文章
0条评论
还没有人评论过~