web.xml 页面
<!--权限jsp过滤器-->
<filter > <filter-name>jsppermission </filter-name> <filter-class>com.weizhi.common.filter.JSPPermissionFilter</filter-class> </filter> <filter-mapping> <filter-name>jsppermission </filter-name> <url-pattern>/administrator/*</url-pattern> </filter-mapping><!--权限action过滤器--> <filter > <filter-name>actionpermissiondo </filter-name> <filter-class>com.weizhi.common.filter.ActionPermissionFilter</filter-class> </filter> <filter-mapping> <filter-name>actionpermissiondo </filter-name> <url-pattern>*.ao</url-pattern> </filter-mapping>*****************************java类*****************************************
package com.weizhi.common.filter;
import javax.servlet.Filter;import javax.servlet.FilterChain;import javax.servlet.FilterConfig;import javax.servlet.ServletException;import javax.servlet.ServletRequest;import javax.servlet.ServletResponse;import javax.servlet.http.HttpServletRequest;import javax.servlet.http.HttpServletResponse;import javax.servlet.http.HttpSession;import org.apache.commons.logging.Log;import org.apache.commons.logging.LogFactory;import com.weizhi.common.domain.WzUser;import com.weizhi.common.util.CommonConstants;import com.weizhi.common.util.CommonUtil;public class ActionPermissionFilter implements Filter{ public static Log _log = LogFactory.getLog(ActionPermissionFilter.class); // 1,doFilter方法的第一个参数为ServletRequest对象。 // 此对象给过滤器提供了对进入的信息(包括表单数据、cookie和HTTP请求头)的完全访问。 // 第二个参数为ServletResponse,通常在简单的过滤器中忽略此参数。 // 最后一个参数为FilterChain,此参数用来调用servlet或JSP页。 private FilterConfig filterConfig; private FilterChain chain; private HttpServletRequest request; private HttpServletResponse response; public void destroy() { this.filterConfig = null; } public void init(FilterConfig filterConfig) throws ServletException { this.filterConfig = filterConfig; } public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain chain) { _log.info("进入了Actionfileter"); this.chain = chain;//束缚 this.request = (HttpServletRequest) servletRequest; // 如果处理HTTP请求,并且需要访问诸如getHeader或getCookies等在ServletRequest中无法得到的方法, // 就要把此request对象构造成HttpServletRequest this.response = ((HttpServletResponse) servletResponse); // 获取当前页面文件名此处url为:/Gzlkh/login.jsp String url = request.getRequestURI(); // 此处截取的url为:login.jsp url = url.substring(url.lastIndexOf("/") + 1, url.length()); try { HttpSession session = request.getSession(); // 获取网站访问根目录 String accessPath = request.getContextPath(); // 获取用户登录验证信息 WzUser st = (WzUser)session.getAttribute(CommonConstants.SESSION_USER); if (noFileUrl(url, request)) { // 不需要判断权限的请求如登录页面,则跳过 chain.doFilter(request, response);// 继续执行请求 } else if (st == null) { response.sendRedirect(accessPath + "/index.shtml"); // 未登录或超时,返回登陆页面 } else { verifyUrl(url, st);// 判断当前user是否拥有访问此url的权限 } } catch (Exception sx) { sx.printStackTrace(); } } /** * 判断当前user是否拥有访问此url的权限 * @param url * 当前请求的url * @param st * 当前登录用户信息 * @throws Exception */ private void verifyUrl(String url, WzUser st) throws Exception { boolean isqiantai = CommonUtil.hasexistingroup(st.getUserId(), "前台用户组"); boolean ishoutai = CommonUtil.hasexistingroup(st.getUserId(), "后台用户组"); //以下判断用户是否有进入该页面的权限,有则加入 if ((request.getRequestURI().contains("abc") && isqiantai)||request.getRequestURI().contains("123") ||request.getRequestURI().contains("okm") ) { chain.doFilter(request, response); }else if (ishoutai && !request.getRequestURI().contains("front")) { chain.doFilter(request, response); } else { //用户无权限跳转提示 response.setContentType("text/html;charset=GBK"); response.getWriter().println("<div style='margin: 100 auto;text-align: center; " + "font: bold 18px 宋体;color: #0066CC;vertical-align: middle'> Sorry,您没有权限访问该资源!</div>"); } } /** * 特殊页面判断 * 是否需要判断权限,如客户端浏览、登录页面则不需要判断权限 */ protected boolean noFileUrl(String url, HttpServletRequest request) { //不需要权限验证的页面动作等 _log.info("url="+url); String exclude = "login.do"; //判断请求页面是否是特殊页面 if (exclude.indexOf(url) >= 0 || "p_w_picpathaction.do".indexOf(url) >= 0 ) { return true; } return false; }}