防止用户直接访问jsp页面的几种办法

防止用户直接访问jsp页面的几种办法：
 

1.把JSP页面放在WEB-INF目录下，存放在此目录或者它的子目录里的任何东西都受到了保护。

不过，不太推荐，因为并非所有的容器都具有这种保护机制，例如WebLogic就做不到这一点。

 2.使用servlet过滤器或者struts过过滤器来过滤对jsp页面的请求。

import java.io.IOException;
import java.io.UnsupportedEncodingException;
import java.util.HashMap;
import java.util.Iterator;
import java.util.Map;
import java.util.Map.Entry;
import java.util.Set;


import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpServletRequestWrapper;

public class CharsetFilter implements Filter {


	@Override
	public void destroy() {
		// TODO Auto-generated method stub
		
	}


	@Override
	public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
			throws IOException, ServletException {
		try{
			HttpServletRequest httpRequest = (HttpServletRequest)request;
			HttpServletResponse httpResponse = (HttpServletResponse)response;
			//过滤直接访问jsp的页面
			String uri = httpRequest.getRequestURI();
			if(uri.endsWith(".jsp")){
				httpResponse.sendRedirect(request.getServletContext().getContextPath()+"/login/preLoginAction.jspx");
				return;
			}
				
			String method = httpRequest.getMethod().toLowerCase();
			/*System.out.println("### method is "+ method);*/
			if(method.equals("post")){
				//如果 是post,即表单方法，直接设置charset即可
				request.setCharacterEncoding("UTF-8");
			}else if(method.equals("get")){
				request.setCharacterEncoding("UTF-8");
				request = new HttpServletRequestWrapper(httpRequest){
					@Override
					public Map getParameterMap() {
						Map map = super.getParameterMap();
						Set> set = map.entrySet();
						Iterator> it = set.iterator();
						Map newmap = new HashMap();  
						while(it.hasNext()){
							Entry entry = it.next();
							
							String[] values = entry.getValue();
							String name = entry.getKey();
							//System.out.println("KEY:"+entry.getKey()+"VALUE: "+entry.getValue());
								{
								String newvalues[] = new String[values.length];
								for(int i=0; i

或者

import javax.servlet.*;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import java.io.IOException;
import java.io.Writer;

/**
 * Created by a on 2016/3/17.
 */
public class AdminSessionFilter implements Filter {
    @Override
    public void init(FilterConfig filterConfig) throws ServletException {

    }

    @Override
    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain)
            throws ServletException {
        HttpServletRequest request = (HttpServletRequest) servletRequest;
        HttpServletResponse response = (HttpServletResponse) servletResponse;
        HttpSession session = request.getSession();

        String uri = request.getRequestURI();
        if (uri.indexOf("/img/") < 0
                && uri.indexOf("/css/") < 0
                && uri.indexOf("/login/") < 0
                && uri.indexOf("/zhiboapi/") < 0
                && session.getAttribute("admin") == null) {//在没有登陆的情况下，除了这几个不能直接访问其他的目录
            Writer writer = null;
            try {
                writer = response.getWriter();
                writer.write("");//framesetbug,直播跳转到首页
            } catch (IOException e) {
                e.printStackTrace();
            } finally {
                try {
                    writer.flush();
                    writer.close();
                } catch (IOException e) {
                }
            }

        } else {
            try {
                filterChain.doFilter(servletRequest, servletResponse);
            } catch (IOException e) {
                e.printStackTrace();
            }
        }
    }

    @Override
    public void destroy() {

    }
}

 3.在部署文件web.xml中使用安全限制.这个比过滤器容易,不用另外编写一个过滤器了.配置如下:

   
       JSPs
       /web/*
   
   

 

   BASIC

 QNJYZXT

/web/*

还可以设置限制访问角色

《JSP页面中限制对 Web 资源的访问》这篇文章中有介绍