如何使某些页面不能直接从浏览器访问?

How to make some pages not directly accessible from browser?

例如:我的网络应用程序中有两个文件:1] index.html 2] some.html(或 jsp)

只能从浏览器访问 index.html,

所以如果我调用 localhost:8080/index.html,它应该 return 实际页面,并且在加载时如果我直接(重定向)到 some.html 那么 some.html 页面应该出现,

如果我直接调用 localhost:8080/some.html,它应该会抛出一个错误,指出无法直接访问该页面,如果我在 tomcat 服务器?

使用 Filters 并拒绝访问 jsp's

public class FilterMyJsp implements Filter{
    public void  doFilter(ServletRequest request, ServletReponse response,                
       FilterChain chain) {
      HttpServletRequest req= (HttpServletRequest) request;
      req.getRequestDispather("HandleError.jsp").forward(request,response);
}
}

Web.xml <filter> <filter-name>FilterMyJsp</filter-name> <filter-class>my.FilterMyJsp</filter-class> </filter> <filter-mapping> <filter-name>FilterMyJsp</filter-name> <url-pattern>*.jsp</url-pattern> </filter-mapping>

URL 模式 * 会将此过滤器应用于每个 jsp。您可以使用相应的错误消息设计 HandleError.jsp,该错误消息将在用户尝试访问其他页面时显示。

一个常见的解决方案是将它们移动到 WEB-INF 目录下。从这里它们不可公开访问,但您可以将 Servlet 或其他控制器转发给它们

https://docs.oracle.com/cd/E21764_01/web.1111/e13712/configurewebapp.htm#WBAPP158

The WEB-INF directory is not part of the public document tree of the application. No file contained in the WEB-INF directory can be served directly to a client by the container. However, the contents of the WEB-INF directory are visible to servlet code using the getResource and getResourceAsStream() method calls on the ServletContext or includes/forwards using the RequestDispatcher.

另一种方法是将它们留在 WEB-INF 之外,并在 web.xml 中配置安全约束。例如,如果你在 {webapp-root}/pages:

<security-constraint>
    <web-resource-collection>
        <web-resource-name>JSP Files</web-resource-name>
        <description>No direct access to JSP files</description>
        <url-pattern>/pages/*</url-pattern>
        <http-method>POST</http-method>
        <http-method>GET</http-method>
    </web-resource-collection>
    <auth-constraint>
        <description>No direct browser access to JSP files</description>
        <role-name>NobodyHasThisRole</role-name>
    </auth-constraint>
</security-constraint>