我正在尝试编写一个过滤器,它检查用户是否已登录,如果没有将他重定向到登录页面。以前我有一个过滤器,它实际上什么也没做-_-在这里,使用这个过滤器一切正常, session 无效:
public void doFilter(ServletRequest req, ServletResponse res,
FilterChain chain) throws IOException, ServletException {
HttpServletRequest request = (HttpServletRequest) req;
HttpSession session = request.getSession();
if (session == null || session.getAttribute("UserName") == null) {
String command = request.getParameter("command");
request.setAttribute("command", "login");
// String page = ConfigurationManager.getInstance().getProperty(
// ConfigurationManager.LOGIN_PAGE_PATH);
} else {
String username = (String) session.getAttribute("UserName");
UserRole role;
try {
role = UserDAOImpl.getUserRole(username);
session.setAttribute("role", role);
} catch (DAOTechnicException e) {
logger.error(e);
} catch (DAOLogicException e) {
logger.error(e);
}
}
chain.doFilter(req, res);
}
当我使 session 无效时,它会进入 (if session == null) block ,一切正常。
但现在我有另一个过滤器,这里是:
public class UserCheckFilter implements Filter {
static class FilteredRequest extends HttpServletRequestWrapper {
public FilteredRequest(ServletRequest request) {
super((HttpServletRequest) request);
}
public String getParameter(String paramName) {
String value = super.getParameter(paramName);
if(value!=null){
if (value.equals("login")) {
return value;
}
HttpSession session = super.getSession();
if (session == null || session.getAttribute("UserName") == null) {
value = "login";
}
}
return value;
}
}
/**
* Checks if user logged in and if not redirects to login page
*/
@Override
public void doFilter(ServletRequest req, ServletResponse res,
FilterChain chain) throws IOException, ServletException {
HttpServletRequest request = (HttpServletRequest) req;
HttpSession session = request.getSession(false);
if (session == null || session.getAttribute("UserName") == null) {
if(request.getParameter("command")!=null){
String command = request.getParameter("command");
if(!command.equals("login")){
FilteredRequest filtrequest = new FilteredRequest(request);
String filteredvalue = filtrequest.getParameter("command");
chain.doFilter(filtrequest, res);
}else{
chain.doFilter(req, res);
}
}else{
chain.doFilter(req, res);
}
} else {
String username = (String) session.getAttribute("UserName");
UserRole role;
chain.doFilter(req, res);
try {
role = UserDAOImpl.getUserRole(username);
session.setAttribute("role", role);
} catch (DAOTechnicException e) {
logger.error(e);
} catch (DAOLogicException e) {
logger.error(e);
}
}
}
我在其中包装 getParameter 方法并检查未登录的用户是否正在尝试转到用户或管理页面。但是当我使 session 无效时,它不会无效,即所有参数都保持不变,然后在过滤器中检查 session 是否!= null,它不为空,并且在行中 session.setAttribute("role", role) ;我收到异常“ session 已失效”
这是我使 session 无效的方法:
if(request.getSession(false)!=null){
request.getSession().invalidate();
}
String page = ConfigurationManager.getInstance().getProperty(
ConfigurationManager.LOGIN_PAGE_PATH);
return page;
并在servlet U中使用
RequestDispatcher dispatcher = getServletContext()
.getRequestDispatcher(page);
dispatcher.forward(request, response);
顺便说一句,只有第二个过滤器才会发生 session 失效的情况
附:抱歉,我的问题可能很愚蠢,但我真的不知道出了什么问题, 因此,如有任何建议,我们将不胜感激。
最佳答案
我认为这是因为你总是调用 chain.doFilter()。
根据 Oracle 文档...
A typical implementation of this method would follow the following pattern:-
- Examine the request
- Optionally wrap the request object with a custom implementation to filter content or headers for input filtering
- Optionally wrap the response object with a custom implementation to filter content or headers for output filtering
- a) Either invoke the next entity in the chain using the FilterChain object (chain.doFilter()),
- b) or not pass on the request/response pair to the next entity in the filter chain to block the request processing
- Directly set headers on the response after invocation of the next entity in the filter chain.
在步骤 4 中,您可能想要执行 (b) - 也就是说,不是将请求传递到链中的下一个过滤器,而是将结果返回给用户。我的意思是,这是一个无效的 session ,那么为什么还要尝试执行额外的处理呢?
关于java - session 不会失效,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/17413116/