内部邀请码:C8E245J (不写邀请码,没有现金送)
国内私募机构九鼎控股打造,九鼎投资是在全国股份转让系统挂牌的公众公司,股票代码为430719,为“中国PE第一股”,市值超1000亿元。
原文: http://my.oschina.net/uniquejava/blog/83657
在学spring3 mvc,做了个简单的CRUD,但是用户不登录也能直接访问任何页面。我的想法是写个SecurityInterceptor在preHandle中判断session是不是存在user对象。配置如下:
<mvc:interceptors> <mvc:interceptor> <mvc:mapping path="/*" /> <bean class="smartcrud.common.spring.SecurityInterceptor"> </bean> </mvc:interceptor> </mvc:interceptors>
代码如下:
public class SecurityInterceptor implements HandlerInterceptor { @Override public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) throws Exception { // intercept HttpSession session = request.getSession(); if (session.getAttribute("user") == null) { throw new AuthorizationException(); } else { return true; } }
很快,我发现登录页面是不需要拦截的。。搜索了一下。<mvc:interceptor>没有提供配置exclude url的功能。只能在SecurityInterceptor中手动处理。。于是修改配置如下:
<mvc:interceptors> <mvc:interceptor> <mvc:mapping path="/*" /> <bean class="smartcrud.common.spring.SecurityInterceptor"> <property name="excludedUrls"> <list> <value>/login</value> </list> </property> </bean> </mvc:interceptor> </mvc:interceptors>
修改代码如下:
public class SecurityInterceptor implements HandlerInterceptor { private List<String> excludedUrls; public void setExcludedUrls(List<String> excludedUrls) { this.excludedUrls = excludedUrls; } @Override public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) throws Exception { // excluded URLs: // see http://stackoverflow.com/questions/9908124/spring-mvc-3-interceptor-on-all-excluding-some-defined-paths String requestUri = request.getRequestURI(); for (String url : excludedUrls) { if (requestUri.endsWith(url)) { return true; } } // intercept HttpSession session = request.getSession(); if (session.getAttribute("user") == null) { // see http://stackoverflow.com/questions/12713873/spring-3-1-how-do-you-send-all-exception-to-one-page throw new AuthorizationException(); } else { return true; } }
这样以/login结尾的请求不做拦截处理。。
接下来需要处理非/login结尾的情况,此时我设计为抛出一个自定义的AuthorizationException异常。
public class AuthorizationException extends Exception { }
当抛出这个异常时,spring框架应该能够处理它,并将用户导向/WEB-INF/views/adminLogin.jsp页面以便让用户登录。。
搜索了一下资料,配置如下:
<bean id="handlerExceptionResolver" class="org.springframework.web.servlet.handler.SimpleMappingExceptionResolver"> <property name="exceptionMappings"> <props> <prop key="smartcrud.common.exception.AuthorizationException">redirect:/login</prop> </props> </property> </bean>
注意这里的视图名为redirect:/login,spring会去找标记了@RequestMapping(value="/login")的方法来处理它。
代码如下:
@Controller public class LoginController { @Autowired private UserService userService; @RequestMapping(value = "/login", method = RequestMethod.GET) public String loginForm() { return "adminLogin"; }
如果handlerExceptionResolver那里的视图名没有redirect前缀,像这样
class="org.springframework.web.servlet.handler.SimpleMappingExceptionResolver"> <property name="exceptionMappings"> <props> <prop key="smartcrud.common.exception.AuthorizationException">/login</prop> </props> </property> </bean>
spring会尝试去找/WEB-INF/views/login.jsp。。如果恰好登录页面不叫这个名字,spring就会给出404,搞不懂spring为什么不去@RequestMapping中查找呢。
参考:
http://stackoverflow.com/questions/9908124/spring-mvc-3-interceptor-on-all-excluding-some-defined-paths
http://stackoverflow.com/questions/12713873/spring-3-1-how-do-you-send-all-exception-to-one-page
