postgresql JSF 2.0 简单登录页面
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/3752104/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
JSF 2.0 Simple login page
提问by grem
I need to restrict the access to a part of the application. In order to access that part, user needs to log in. I have a table in my database called User, with usernames and hashed passwords and a login form that consists of two inputs and a submit. However, I don't know which classes/mathids should I use to log in the user (I assume that there is a support for this functionality in jsf). Also, as far as I know, I need to edit my web.xml to support the authentification. Could someone propose a typical solutions and general steps that I need to do in order to get that functionality (links, tutorials of a value greatly appreciated)?
我需要限制对应用程序一部分的访问。为了访问该部分,用户需要登录。我的数据库中有一个名为 User 的表,其中包含用户名和散列密码以及一个包含两个输入和一个提交的登录表单。但是,我不知道应该使用哪些类/mathid 来登录用户(我假设 jsf 中支持此功能)。另外,据我所知,我需要编辑我的 web.xml 以支持身份验证。有人可以提出一个典型的解决方案和我需要做的一般步骤才能获得该功能(非常感谢链接、有价值的教程)?
i also wonder how do I limit the access to another page if the person is not logged in so when the user types in the direct link to a page, he will be redirected to a main login page.
我还想知道如果此人未登录,我如何限制对另一个页面的访问,以便当用户输入指向页面的直接链接时,他将被重定向到主登录页面。
Thanks in advance for any help. Grem.
在此先感谢您的帮助。格雷姆。
回答by Theo
You could use the HttpServletRequest API introduced in Servlet 3.0:
您可以使用 Servlet 3.0 中引入的 HttpServletRequest API:
/**
* Performs authentication via HttpServletRequest API
*/
public String login(String username, String password) throws IOException {
try {
getRequest().login(username, password);
this.user = userDao.find(username);
} catch (ServletException e) {
JsfUtil.addErrorMessage(JsfUtil.getStringResource("loginFailed"));
return null;
}
return "/index?faces-redirect=true";
}
public String logout() throws ServletException {
this.user = null;
FacesContext.getCurrentInstance().getExternalContext().invalidateSession();
if (isAuthenticated())
getRequest().logout();
return "logout";
}
public boolean isAuthenticated() {
return getRequest().getUserPrincipal() != null;
}
public static HttpServletRequest getRequest() {
Object request = FacesContext.getCurrentInstance().getExternalContext().getRequest();
return request instanceof HttpServletRequest
? (HttpServletRequest) request : null;
}
回答by Zack Marrapese
You can use j_security_check. All you do is post to it, and it will handle authentication based on the realm you've defined, and the application-specific configuration in your web.xml.
您可以使用 j_security_check。您所做的就是向它发送信息,它将根据您定义的领域和 web.xml 中特定于应用程序的配置处理身份验证。
Depending on your app server, there is an additional step of linking the defined role (app-specific) to a group (realm-specific).
根据您的应用服务器,还有一个额外的步骤是将定义的角色(特定于应用程序)链接到一个组(特定于领域)。
Here is a typical configuration:
下面是一个典型的配置:
<servlet>
<servlet-name>Login</servlet-name>
<servlet-class>com.example.Login</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>Login</servlet-name>
<url-pattern>/Login</url-pattern>
</servlet-mapping>
<servlet>
<servlet-name>Error</servlet-name>
<servlet-class>com.example.Error</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>Error</servlet-name>
<url-pattern>/Error</url-pattern>
</servlet-mapping>
<login-config>
<auth-method>FORM</auth-method>
<realm-name>example.com</realm-name>
<form-login-config>
<form-login-page>/Login</form-login-page>
<form-error-page>/Error</form-error-page>
</form-login-config>
</login-config>
<security-role>
<role-name>arbitraryRoleName</role-name>
</security-role>
<security-constraint>
<web-resource-collection>
<web-resource-name>All Pages</web-resource-name>
<url-pattern>/index.xhtml</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>arbitraryRoleName</role-name>
</auth-constraint>
</security-constraint>
Note the security-role. This still needs linked into a group, or whatever you are defining to differentiate users that can use a page from users who can't.
注意security-role. 这仍然需要链接到一个组中,或者您定义的任何内容来区分可以使用页面的用户和不能使用页面的用户。
