i am using jsp servlet to make a web application, I want to prevent the user to show login page, if he already logged in, I make a filter that check that, but it still show login page even user has a valid session, Here is the code in the Filter.
HttpSession session = httpreq.getSession(false);
if(session == null){
System.out.println("not logged, redirect ");
httpres.sendRedirect("../Login.jsp");
}
else{
System.out.println("could be logged");
String logged = (String) session.getAttribute("Login");
if(logged != null){
System.out.println(" logged "+logged);
if (!logged.equals("ok")) { // user is not logged
System.out.println("not logged, redirect ");
httpres.sendRedirect("../Login.jsp");
return;
} else { // if user has a session redirect his to the page he was opened
System.out.println("redirect to the same page");
chain.doFilter(request, response);
System.out.println("redirect to the same page");
httpres.setCharacterEncoding("UTF-8");
httpres.sendRedirect(httpreq.getRequestURI());
}
}else
{
System.out.println("not logged, redirect login ");
httpres.sendRedirect("开发者_运维百科../Login.jsp");
return;
}
}
I make the session only on folders that located outside the WEB-INF folder.
Edit : Here's the code to check the validity of user and add attributes to session
isVaild = StudentManagement.isValidUser(connection, studentUserName, password);
// I have more than one roles in the system..
}
if (isVaild) {
System.out.println("create session");
HttpSession session = request.getSession();
session.setAttribute("Login", "ok");
session.setAttribute("userName", userName);
session.setAttribute("role", role);
if (role == UserRole.STUDENT) { //student role
url = "/ParentManagementServlet?pageName=StudentActivationPage";
forward(request, response, url);
} else if (role == UserRole.ADMIN) { //admin role
url = "/Admin/MainPage.jsp";
forward(request, response, url);
}
Edit 2: here's the URL mapping in web.xml file
<filter-mapping>
<filter-name>AuthenticationFilter</filter-name>
<url-pattern>/Admin/*</url-pattern>
</filter-mapping>
since Admin is the folder that locates outside the WEB-INF folder.
Everything seems fine, apart from Filter mapping, try -
<filter-mapping>
<filter-name>AuthenticationFilter</filter-name>
<url-pattern>/protected directory/*</url-pattern>
</filter-mapping>
I'm assuming you want to protect everything in the directory and the above url pattern will check for whole directory .. you can fine tune the pattern as per your need.
But the point is - pattern mentioned in question (<url-pattern>/Admin/*</url-pattern>
) does not intercept Login.jsp
and that's why it cannot perform session check and renders Login.jsp
even for valid sessions.
You can perform a check in the existing filter - whether the request is for Login.jsp and then can make a decision (I don't know whether this is a good way to go) else keep the Login.jsp out of the protected directory and write an another filter which matches only Login.jsp
精彩评论