如何使某些页面不能直接从浏览器访问?
How to make some pages not directly accessible from browser?
例如:我的网络应用程序中有两个文件:1] index.html 2] some.html(或 jsp)
只能从浏览器访问 index.html,
所以如果我调用 localhost:8080/index.html,它应该 return 实际页面,并且在加载时如果我直接(重定向)到 some.html 那么 some.html 页面应该出现,
如果我直接调用 localhost:8080/some.html,它应该会抛出一个错误,指出无法直接访问该页面,如果我在 tomcat 服务器?
使用 Filters
并拒绝访问 jsp's
。
public class FilterMyJsp implements Filter{
public void doFilter(ServletRequest request, ServletReponse response,
FilterChain chain) {
HttpServletRequest req= (HttpServletRequest) request;
req.getRequestDispather("HandleError.jsp").forward(request,response);
}
}
Web.xml
<filter>
<filter-name>FilterMyJsp</filter-name>
<filter-class>my.FilterMyJsp</filter-class>
</filter>
<filter-mapping>
<filter-name>FilterMyJsp</filter-name>
<url-pattern>*.jsp</url-pattern>
</filter-mapping>
URL 模式 *
会将此过滤器应用于每个 jsp。您可以使用相应的错误消息设计 HandleError.jsp
,该错误消息将在用户尝试访问其他页面时显示。
一个常见的解决方案是将它们移动到 WEB-INF 目录下。从这里它们不可公开访问,但您可以将 Servlet 或其他控制器转发给它们
https://docs.oracle.com/cd/E21764_01/web.1111/e13712/configurewebapp.htm#WBAPP158
The WEB-INF directory is not part of the public document tree of the
application. No file contained in the WEB-INF directory can be served
directly to a client by the container. However, the contents of the
WEB-INF directory are visible to servlet code using the getResource
and getResourceAsStream() method calls on the ServletContext or
includes/forwards using the RequestDispatcher.
另一种方法是将它们留在 WEB-INF 之外,并在 web.xml 中配置安全约束。例如,如果你在 {webapp-root}/pages:
<security-constraint>
<web-resource-collection>
<web-resource-name>JSP Files</web-resource-name>
<description>No direct access to JSP files</description>
<url-pattern>/pages/*</url-pattern>
<http-method>POST</http-method>
<http-method>GET</http-method>
</web-resource-collection>
<auth-constraint>
<description>No direct browser access to JSP files</description>
<role-name>NobodyHasThisRole</role-name>
</auth-constraint>
</security-constraint>
例如:我的网络应用程序中有两个文件:1] index.html 2] some.html(或 jsp)
只能从浏览器访问 index.html,
所以如果我调用 localhost:8080/index.html,它应该 return 实际页面,并且在加载时如果我直接(重定向)到 some.html 那么 some.html 页面应该出现,
如果我直接调用 localhost:8080/some.html,它应该会抛出一个错误,指出无法直接访问该页面,如果我在 tomcat 服务器?
使用 Filters
并拒绝访问 jsp's
。
public class FilterMyJsp implements Filter{
public void doFilter(ServletRequest request, ServletReponse response,
FilterChain chain) {
HttpServletRequest req= (HttpServletRequest) request;
req.getRequestDispather("HandleError.jsp").forward(request,response);
}
}
Web.xml
<filter>
<filter-name>FilterMyJsp</filter-name>
<filter-class>my.FilterMyJsp</filter-class>
</filter>
<filter-mapping>
<filter-name>FilterMyJsp</filter-name>
<url-pattern>*.jsp</url-pattern>
</filter-mapping>
URL 模式 *
会将此过滤器应用于每个 jsp。您可以使用相应的错误消息设计 HandleError.jsp
,该错误消息将在用户尝试访问其他页面时显示。
一个常见的解决方案是将它们移动到 WEB-INF 目录下。从这里它们不可公开访问,但您可以将 Servlet 或其他控制器转发给它们
https://docs.oracle.com/cd/E21764_01/web.1111/e13712/configurewebapp.htm#WBAPP158
The WEB-INF directory is not part of the public document tree of the application. No file contained in the WEB-INF directory can be served directly to a client by the container. However, the contents of the WEB-INF directory are visible to servlet code using the getResource and getResourceAsStream() method calls on the ServletContext or includes/forwards using the RequestDispatcher.
另一种方法是将它们留在 WEB-INF 之外,并在 web.xml 中配置安全约束。例如,如果你在 {webapp-root}/pages:
<security-constraint>
<web-resource-collection>
<web-resource-name>JSP Files</web-resource-name>
<description>No direct access to JSP files</description>
<url-pattern>/pages/*</url-pattern>
<http-method>POST</http-method>
<http-method>GET</http-method>
</web-resource-collection>
<auth-constraint>
<description>No direct browser access to JSP files</description>
<role-name>NobodyHasThisRole</role-name>
</auth-constraint>
</security-constraint>