Filter filter Simple Application (Interface access control)

First, describe

when providing an Android, iOS client interface, you can assign a session to the client on the login interface to determine if the other interface is legitimate, to avoid exposing all the interfaces to the web that can be accessed directly by the path. However, in a recent project, the mobile interface does not assign a session to the client, so all the interfaces can be accessed directly through the path, there is a certain risk, the parameters can only be more accurately verified by the interface. In general, for ease of administration, all interfaces are placed separately under Webroot under a separate folder directory, such as Webroot/appreq. the interface under the directory can be accessed directly, such as:http://localhost:8080/WebTest/appreq/agreement.jsp, so it is necessary to restrict access to the JSP in the Appreq directory. Therefore, the filter filter can be used to realize the filtering of the request. About the study and use of the filter can be seen in the park this blog, wrote very detailed: Http://www.cnblogs.com/xdp-gacl/p/3948353.html

Second, the realization

A) Create a new class that implements the filter interface and implement the method of the interface definition, where the Dofilter () method is the function you define in this filter, the code is as follows:

1  PackageCom.app.util;2 3 Importjava.io.IOException;4 ImportJava.io.PrintWriter;5 ImportJava.util.HashMap;6 ImportJava.util.Map;7 8 ImportJavax.servlet.Filter;9 ImportJavax.servlet.FilterChain;Ten ImportJavax.servlet.FilterConfig; One Importjavax.servlet.ServletException; A Importjavax.servlet.ServletRequest; - ImportJavax.servlet.ServletResponse; - Importjavax.servlet.http.HttpServletRequest; the ImportJavax.servlet.http.HttpServletResponse; -  -  Public classApprequestfilterImplementsfilter{ -  + @Override -      Public voiddestroy () { +         //TODO auto-generated Method Stub A          at     } -  - @Override -      Public voidDoFilter (servletrequest req, Servletresponse resp, -Filterchain chain)throwsIOException, servletexception { -         //TODO auto-generated Method Stub inSYSTEM.OUT.PRINTLN ("Filter Begin"); -Req.setcharacterencoding ("UTF-8"); toResp.setcontenttype ("Text/html;charset=utf-8"); +HttpServletRequest request =(httpservletrequest) req; -HttpServletResponse response =(HttpServletResponse) resp; theObject UserID = Request.getsession (). getattribute ("current_user_id"); *         if(UserID = =NULL) { $             //Defining return informationPanax Notoginsengmap<string,object> map =NewHashmap<string,object>(); -Map.put ("Status",-1); theMap.put ("Data",NULL); +Map.put ("msg", "You are not login the system ... can ' t request resource!")); APrintWriter writer =Response.getwriter ();  the             //This returns the JSON data using Fastjson.jar; + Writer.print (com.alibaba.fastjson.JSONArray.toJSONString (map));  - Writer.flush ();  $ writer.close (); $}Else{ - Chain.dofilter (req, resp); -         } theSystem.out.println ("Filter End"); -     }Wuyi  the @Override -      Public voidInit (Filterconfig arg0)throwsservletexception { Wu         //TODO auto-generated Method Stub -          About     } $  -}

b) The filter is built up, and now as long as it is configured or registered in Web. XML, this filter can work.

1   <Filter>2     <Filter-name>Apprequest</Filter-name>3     <Filter-class>Com.app.util.AppRequestFilter</Filter-class>4   </Filter>5   <filter-mapping>6     <Filter-name>Apprequest</Filter-name>7     <Url-pattern>/appinter/*</Url-pattern>8   </filter-mapping>

c) to this, appinter under the interface is a layer of protection, no login to get the session will be directly returned to the JSON message to the client processing: JSON return to the real example: {"MSG": "You do not login the system ... can ' t Request resource! "," status ":-1}.

Add:

A) in order to make the interface as normative as possible, so the JSON return format to specify, at least three items: status code, MSG status information, data, respectively, the String/string/object type, but the above JSON result does not have the data field, This is because the jar package is used to fastjson.jar this jar, because it will automatically filter the null value of the field is not displayed, this is a bit of an Android client parsing every time it is difficult to judge, the actual use can be considered with other JSON tools.

b) How to assign a session to the client when landing, if it is used struts can be used to get the session:

Map Session=actioncontext.getcontext (). getsession (); The information that is added to the validation is session.put ("current_user_id", Au.getid ()), and then the session is returned to the client.

The above contents are recorded in Wincha.

Filter filter Simple Application (Interface access control)