STRUTS2 Interceptor Interceptor implementation to prevent malicious logons (login restrictions)

 General web site to prevent people from malicious login (not logged in directly to the background page), will use interceptor interceptor to limit login.
Below is a small example of an interceptor login limit that helps understand and apply interceptors. The basis for intercepting in interceptors is to see if there is any user information in the session scope.
If there is one, it will be done according to the need. The first thing to understand is the role that interceptors play in the login restrictions. The interceptor intercepts the action request.
So there should be such a process.
Login page-->loginaction-->result-->interceptor-->showaction--> background.
If the interceptor is placed before the loginaction, it will cause the login to be unsuccessful (the program has not yet been run loginaction,session must have no user information).


Look at the code. Configure Struts.xml (interceptors are configured at the top of the action, you need to configure <interceptor-ref/> by using the Interceptor's action) 

<?xml version= "1.0" encoding= "GBK"?> <! DOCTYPE struts Public "-//apache Software foundation//dtd struts Configuration 2.5.5//en" "Http://struts.apache.or G/dtds/struts-2.5.dtd "> <!--Specify the root element of the Struts 2 profile--> <struts> <package name=" WYG "extends=" struts-def Ault "namespace="/"> <interceptors> <interceptor name=" authority "class= "Com.wyg.inter.LoginInterceptor" > </interceptor> <!--Interceptor Stack--> &  
                Lt;interceptor-stack name= "Mydefault" > <interceptor-ref name= "Defaultstack"/>  

        <interceptor-ref name= "authority"/> </interceptor-stack> </interceptors> <action name= "Login" class= "com.wyg.action.LoginAction" > <result name= "Success" type= "Chain" & 
       gt;show</result> <result name= "error" >/login.jsp</result> </action> <action name= "show" class= "Com.wyg.action.ShowAction" > <result name= "succ" ESS ">/show.jsp</result> <result name=" error ">/login.jsp</result> <!--make Use this interceptor--> <interceptor-ref name= "Mydefault"/> </action> </package> < /struts>

Interceptor class

The public class Logininterceptor extends Abstractinterceptor {@Override The public  
    String Intercept ( Actioninvocation invocation) throws Exception {  

        HttpSession session = Servletactioncontext.getrequest (). GetSession ();  
        String user = (string) session.getattribute ("user");  

        if (user!= null && user.equals ("admin")) {  
            System.out.println ("test");  
            return Invocation.invoke ();
        }  
        return "error";  
    }  

  

Loginaction (Interceptor does not intercept a request for this action)

public class Loginaction extends {private String name;

    Private String pwd;
    Public String GetName () {return name;
    public void SetName (String name) {this.name = name;
    Public String getpwd () {return pwd;
    } public void SetPwd (String pwd) {this.pwd = pwd;
            @Override public String Execute () throws Exception {if (GetName ()!=null&&getpwd ()!=null) { if (This.getname (). Equals ("admin") && this.getpwd (). Equals ("123")) {Servletactioncontext.
                 Getrequest (). GetSession (). setattribute ("User", GetName ());   
                    Servletactioncontext.getrequest (). GetSession (). setattribute ("Pwd", Getpwd ());  
                Return "Success"; 
        return "error";
    return "error"; }

}

Showaction (The interceptor intercepts the request for this action.) If you have the required data in the session, you can do the following through the interceptor. ）

public class Showaction extends Actionsupport {public  
 String execute () {return  
  "success";  
 }  
}  

login.jsp (Login page)

<%@ page language= "java" contenttype= "text/html; Charset=iso-8859-1 "
    pageencoding=" iso-8859-1 "%>
<! DOCTYPE HTML PUBLIC "-//w3c//dtd HTML 4.01 transitional//en" "Http://www.w3.org/TR/html4/loose.dtd" >
 
Show.jsp (Login Success page)

<%@ page language= "java" contenttype= "text/html; Charset=utf-8 "
    pageencoding=" UTF-8 "%>
<! DOCTYPE HTML PUBLIC "-//w3c//dtd HTML 4.01 transitional//en" "Http://www.w3.org/TR/html4/loose.dtd" >
 
Test
Enter an address in the browser's address bar
"Http://localhost:8090/StrutsDemo_Interceptor/login.jsp"
After the login is successful. Enter the background address directly in the newly opened tab (Show is the action address)
"Http://localhost:8090/StrutsDemo_Interceptor/show"
You can still enter the login Success page.
In another browser (no ' user ' in session) Enter the background address above
"Http://localhost:8090/StrutsDemo_Interceptor/show"
Will jump to the login interface.

  Note that the interceptor intercepts an action request. If you enter the address of the background page directly in the browser address bar, you can see the page. But dynamic pages don't get the data.  
 In addition, in struts, we do all the actions by committing the request, so the average user does not see our background page address, the address bar shows us the action address, So don't worry about the user will be directly knocking on the background page address to visit.