防止用户直接输入地址下载或直接访问未受权的资源(java实现)
想实现的是,用户要下载某个文件,必须先登录才能下载(即使用户知道真实的资源地址也不能下载)
终于搞定了这个问题,作个记号
当然我提供的资源是存在的哈
测试地址
http://www.interdrp.com/software/hotel/setup.zip (此资源要进系统才能下载)
http://www.interdrp.com/software/goods/setup.zip (此资源不进系统就能下载)
服务器配置文件
Code
java源码:
/*
* FilterListFileLogin.java
* Version 1.0.0
* Created on 2021年1月30日
* Copyright ReYo.Cn
*/
package reyo.sdk.utils.filters;
import java.io.IOException;
import java.util.ArrayList;
import java.util.List;
import java.util.StringTokenizer;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
/**
* 用于检测用户是否登陆的过滤器,如果未登录,则重定向到指的登录页面
* 配置参数
* SessionKey 需检查的在 Session 中保存的关键字
* redirectURL 如果用户未登录,则重定向到指定的页面,URL不包括 ContextPath
* CheckURLList 检查的URL列表,以分号(;)分开,并且 URL 中不包括 ContextPath
*/
/**
<filter>
<filter-name>FilterListFileLogin</filter-name>
<filter-class>Www.Interdrp.Com.Filters.FilterListFileLogin</filter-class>
<init-param>
<param-name>redirectURL</param-name>
<param-value>/PowerError.htm</param-value>
</init-param>
<init-param>
<param-name>SessionKey</param-name>
<param-value>UserName</param-value>
</init-param>
<init-param>
<param-name>CheckURLList</param-name>
<param-value>/software/hotel/setup.zip</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>FilterListFileLogin</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
**/
public class FilterListFileLogin implements Filter {
protected FilterConfig filterConfig = null;
private String redirectURL = null;
private List<String> CheckURLList = new ArrayList<String>();
private String sessionKey = null;
@Override
public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain)
throws IOException, ServletException {
HttpServletRequest request = (HttpServletRequest) servletRequest;
HttpServletResponse response = (HttpServletResponse) servletResponse;
HttpSession session = request.getSession();
if (sessionKey == null) {
filterChain.doFilter(request, response);
return;
}
if (checkRequestURIIntNotFilterList(request) && session.getAttribute(sessionKey) == null) {
response.sendRedirect(request.getContextPath() + redirectURL);
return;
}
filterChain.doFilter(servletRequest, servletResponse);
}
@Override
public void destroy() {
CheckURLList.clear();
}
private boolean checkRequestURIIntNotFilterList(HttpServletRequest request) {
String uri = request.getServletPath() + (request.getPathInfo() == null ? "" : request.getPathInfo());
return CheckURLList.contains(uri);
}
@Override
public void init(FilterConfig filterConfig) throws ServletException {
this.filterConfig = filterConfig;
redirectURL = filterConfig.getInitParameter("redirectURL");
sessionKey = filterConfig.getInitParameter("SessionKey");
String CheckURLListStr = filterConfig.getInitParameter("CheckURLList");
if (CheckURLListStr != null) {
StringTokenizer st = new StringTokenizer(CheckURLListStr, ";");
CheckURLList.clear();
while (st.hasMoreTokens()) {
CheckURLList.add(st.nextToken());
}
}
}
}
浙公网安备 33010602011771号