Primefaces登录申请
可能重复:
JSF HTTP会话登录
我使用Primefaces来实现我的Web应用程序。 在我的实现中,用户可以登录系统,然后他们可以通过复制该URL而无需再次登录来再次加载重定向的页面。 我怎么能阻止这个?
这是我的登录逻辑:
public String doLogin() { if(username != null && username.equals("admin") && password != null && password.equals("admin")) { msg = "table?faces-redirect=true"; } else if(user_name.contains(username) && pass_word.contains(password) && !user_name.contains("admin")) { msg = "table1?faces-redirect=true"; } } return msg; } 如果用户会话尚未过期,则这是Web应用程序的正常行为。 如果会话已过期,那么您必须确保有一个已登录的用户,并且该用户有权访问他/她在URL中使用的页面。 您可以使用Filter实现此目的。
我假设您的Web应用程序位于Java EE 6容器(如Tomcat 7或GlassFish 3.x)上:
@WebFilter(filterName = "MyFilter", urlPatterns = {"/*.xhtml"}) public class MyFilter implements Filter { public void doFilter( ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { //get the request page String requestPath = httpServletRequest.getRequestURI(); if (!requestPath.contains("home.xhtml")) { boolean validate = false; //getting the session object HttpServletRequest httpServletRequest = (HttpServletRequest) request; HttpSession session = (HttpSession)httpServletRequest.getSession(); //check if there is a user logged in your session //I'm assuming you save the user object in the session (not the managed bean). User user = (User)session.get("LoggedUser"); if (user != null) { //check if the user has rights to access the current page //you can omit this part if you only need to check if there is a valid user logged in ControlAccess controlAccess = new ControlAccess(); if (controlAccess.checkUserRights(user, requestPath)) { validate = true; //you can add more logic here, like log the access or similar } } if (!validate) { HttpServletResponse httpServletResponse = (HttpServletResponse) response; httpServletResponse.sendRedirect( httpServletRequest.getContextPath() + "/home.xhtml"); } } chain.doFilter(request, response); } }
ControlAccess类的一些实现:
public class ControlAccess { public ControlAccess() { } public boolean checkUserRights(User user, String path) { UserService userService = new UserService(); //assuming there is a method to get the right access for the logged users. List urlAccess = userService.getURLAccess(user); for(String url : urlAccess) { if (path.contains(url)) { return true; } } return false; } }
在寻找解释这个问题的好方法时,我找到了BalusC(JSF专家)的更好答案。 这是基于JSF 2的:
- JSF HTTP会话登录
您可以执行基于表单的身份validation,以防止未经身份validation的用户访问您的内部页面。
您也可以让容器使用JDBC领域身份validation为您处理身份validation,如本例所示