內部邀請碼: C8E245J (不寫邀請碼,沒有現金送)
國內私募機構九鼎控股打造,九鼎投資是在全國股份轉讓系統掛牌的公眾公司,股票代碼為430719,為“中國PE第一股”,市值超1000億元。
原文: http://my.oschina.net/uniquejava/blog/83657
在學spring3 mvc,做了個簡單的CRUD,但是用戶不登錄也能直接訪問任何頁面。我的想法是寫個SecurityInterceptor在preHandle中判斷session是不是存在user對象。配置如下:
<mvc:interceptors> <mvc:interceptor> <mvc:mapping path="/*" /> <bean class="smartcrud.common.spring.SecurityInterceptor"> </bean> </mvc:interceptor> </mvc:interceptors>
代碼如下:
public class SecurityInterceptor implements HandlerInterceptor { @Override public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) throws Exception { // intercept HttpSession session = request.getSession(); if (session.getAttribute("user") == null) { throw new AuthorizationException(); } else { return true; } }
很快,我發現登錄頁面是不需要攔截的。。搜索了一下。<mvc:interceptor>沒有提供配置exclude url的功能。只能在SecurityInterceptor中手動處理。。於是修改配置如下:
<mvc:interceptors> <mvc:interceptor> <mvc:mapping path="/*" /> <bean class="smartcrud.common.spring.SecurityInterceptor"> <property name="excludedUrls"> <list> <value>/login</value> </list> </property> </bean> </mvc:interceptor> </mvc:interceptors>
修改代碼如下:
public class SecurityInterceptor implements HandlerInterceptor { private List<String> excludedUrls; public void setExcludedUrls(List<String> excludedUrls) { this.excludedUrls = excludedUrls; } @Override public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) throws Exception { // excluded URLs: // see http://stackoverflow.com/questions/9908124/spring-mvc-3-interceptor-on-all-excluding-some-defined-paths String requestUri = request.getRequestURI(); for (String url : excludedUrls) { if (requestUri.endsWith(url)) { return true; } } // intercept HttpSession session = request.getSession(); if (session.getAttribute("user") == null) { // see http://stackoverflow.com/questions/12713873/spring-3-1-how-do-you-send-all-exception-to-one-page throw new AuthorizationException(); } else { return true; } }
這樣以/login結尾的請求不做攔截處理。。
接下來需要處理非/login結尾的情況,此時我設計為拋出一個自定義的AuthorizationException異常。
public class AuthorizationException extends Exception { }
當拋出這個異常時,spring框架應該能夠處理它,並將用戶導向/WEB-INF/views/adminLogin.jsp頁面以便讓用戶登錄。。
搜索了一下資料,配置如下:
<bean id="handlerExceptionResolver" class="org.springframework.web.servlet.handler.SimpleMappingExceptionResolver"> <property name="exceptionMappings"> <props> <prop key="smartcrud.common.exception.AuthorizationException">redirect:/login</prop> </props> </property> </bean>
注意這里的視圖名為redirect:/login,spring會去找標記了@RequestMapping(value="/login")的方法來處理它。
代碼如下:
@Controller public class LoginController { @Autowired private UserService userService; @RequestMapping(value = "/login", method = RequestMethod.GET) public String loginForm() { return "adminLogin"; }
如果handlerExceptionResolver那里的視圖名沒有redirect前綴,像這樣
class="org.springframework.web.servlet.handler.SimpleMappingExceptionResolver"> <property name="exceptionMappings"> <props> <prop key="smartcrud.common.exception.AuthorizationException">/login</prop> </props> </property> </bean>
spring會嘗試去找/WEB-INF/views/login.jsp。。如果恰好登錄頁面不叫這個名字,spring就會給出404,搞不懂spring為什么不去@RequestMapping中查找呢。
參考:
http://stackoverflow.com/questions/9908124/spring-mvc-3-interceptor-on-all-excluding-some-defined-paths
http://stackoverflow.com/questions/12713873/spring-3-1-how-do-you-send-all-exception-to-one-page