java Primefaces 登录应用程序
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/12667449/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Primefaces Login Application
提问by user1705260
Possible Duplicate:
JSF HTTP Session Login
可能重复:
JSF HTTP 会话登录
I am using Primefaces to implement my web application. In my implementation the user can log in to the system, then they can load the redirected pages again by copying that URL without login again. How can I prevent this?
我正在使用 Primefaces 来实现我的 Web 应用程序。在我的实现中,用户可以登录系统,然后他们可以通过复制该 URL 再次加载重定向的页面,而无需再次登录。我怎样才能防止这种情况?
Here is my login logic:
这是我的登录逻辑:
public String doLogin() {
if(username != null &&
username.equals("admin") &&
password != null &&
password.equals("admin")) {
msg = "table?faces-redirect=true";
} else
if(user_name.contains(username) &&
pass_word.contains(password) &&
!user_name.contains("admin")) {
msg = "table1?faces-redirect=true";
}
}
return msg;
}
回答by Luiggi Mendoza
If the user session hasn't expired, then this is normal behavior for web applications. If the session has expired, then you must make sure there is a logged user and that is has the privileges to access to the page he/she's using in the URL. You can achieve this using a Filter.
如果用户会话尚未过期,则这是 Web 应用程序的正常行为。如果会话已过期,那么您必须确保有一个登录的用户并且该用户有权访问他/她在 URL 中使用的页面。您可以使用过滤器来实现这一点。
I'm assuming your web app is on a Java EE 6 container like Tomcat 7 or GlassFish 3.x:
我假设您的 Web 应用程序位于 Java EE 6 容器(如 Tomcat 7 或 GlassFish 3.x)上:
@WebFilter(filterName = "MyFilter", urlPatterns = {"/*.xhtml"})
public class MyFilter implements Filter {
public void doFilter(
ServletRequest request, ServletResponse response, FilterChain chain)
throws IOException, ServletException {
//get the request page
String requestPath = httpServletRequest.getRequestURI();
if (!requestPath.contains("home.xhtml")) {
boolean validate = false;
//getting the session object
HttpServletRequest httpServletRequest = (HttpServletRequest) request;
HttpSession session = (HttpSession)httpServletRequest.getSession();
//check if there is a user logged in your session
//I'm assuming you save the user object in the session (not the managed bean).
User user = (User)session.get("LoggedUser");
if (user != null) {
//check if the user has rights to access the current page
//you can omit this part if you only need to check if there is a valid user logged in
ControlAccess controlAccess = new ControlAccess();
if (controlAccess.checkUserRights(user, requestPath)) {
validate = true;
//you can add more logic here, like log the access or similar
}
}
if (!validate) {
HttpServletResponse httpServletResponse = (HttpServletResponse) response;
httpServletResponse.sendRedirect(
httpServletRequest.getContextPath() + "/home.xhtml");
}
}
chain.doFilter(request, response);
}
}
Some implementation for your ControlAccess class:
ControlAccess 类的一些实现:
public class ControlAccess {
public ControlAccess() {
}
public boolean checkUserRights(User user, String path) {
UserService userService = new UserService();
//assuming there is a method to get the right access for the logged users.
List<String> urlAccess = userService.getURLAccess(user);
for(String url : urlAccess) {
if (path.contains(url)) {
return true;
}
}
return false;
}
}
While looking for a nice way to explain this, I found a better answer from BalusC (JSF expert). This is JSF 2 based:
在寻找解释这一点的好方法时,我从 BalusC(JSF 专家)找到了更好的答案。这是基于 JSF 2:
回答by fareed
You can do form based authenticationto protect your inner pages from being accessed by unauthenticated users.
您可以进行基于表单的身份验证,以保护您的内部页面不被未经身份验证的用户访问。
You can also let the container handle the authentication for you using JDBC realm authentication as in this example
您还可以让容器使用 JDBC 领域身份验证为您处理身份验证,如本例所示
