我正在使用SessionFilter servlet来验证用户,然后为他们提供系统访问权限。我的受限文件位于名为“com.shadibandhan.Restricted”的文件夹中。 会话过滤器工作正常。
这是sessionfilter servlet的相关代码
@Override
public void doFilter(ServletRequest req, ServletResponse res,
FilterChain chain) throws IOException, ServletException {
HttpServletRequest request = (HttpServletRequest) req;
HttpServletResponse response = (HttpServletResponse) res;
String servletPath = request.getServletPath();
String contextPath = request.getContextPath();
String remoteHost = request.getRemoteHost();
String url = contextPath + servletPath;
boolean allowedRequest = false;
if (urlList.contains(servletPath)) {
allowedRequest = true;
}
if (!allowedRequest) {
HttpSession session = request.getSession(false);
if (null == session) {
System.out.println("Session is not present");
response.sendRedirect(contextPath);
return;
} if (null != session) {
//String loggedIn = (String) session.getAttribute("sb_logged_in");
System.out.println("Session is present");
System.out.println("\nSession no. is = " + session.getId());
if (session.getAttribute("logged-in") == "true") {
System.out.println("Session logged-in attribute is true, " + session.getAttribute("sessionUsername") + " is logged in.");
//ServletContext context = request.getServletContext();
RequestDispatcher dispatcher = request.getRequestDispatcher(servletPath);
dispatcher.forward(request, response);
} else {
System.out.println("Session logged-in attribute is not true");
response.sendRedirect(contextPath);
}
}
}
chain.doFilter(req, res);
}
现在,当用户登录时,我将他的用户名和个人资料ID放在httpsession中,这是与登录页面绑定的bean。
@ManagedBean
@SessionScoped
public class UserLoginManagedBean {
private User user = null;
private String username = null;
private String password = null;
private ServiceProvider server = null;
HttpServletRequest request = null;
HttpServletResponse response = null;
HttpSession session = null;
private Date date;
private int profileActiveness=0;
private int profileActivenessPercentage=0;
public UserLoginManagedBean() {
this.user = new User();
this.server = ServiceProvider.getInstance();
}
public String validateLogin() {
System.out.println("Inside validate login");
boolean isUserValid = false;
System.out.println(this.username + " " + this.password);
isUserValid = this.authenticate(username, password);
if (isUserValid) {
//this.user = found;
System.out.println("User is valid---Redirecting to messages.xhtml");
return "com.shadibandhan.Restricted/profile.xhtml?faces-redirect=true";
} else {
//addGlobalErrorMessage("Unknown login, please try again");
return null;
}
}
public boolean authenticate(String username, String password) {
boolean isUserValid = false;
String status = null;
//isUserValid = this.server.authenticateUser(this.username, this.password);
this.user = (User) this.server.getRecordByTwoColumns(User.class, "username" , this.username, "password", this.password);
if(null != this.user){
isUserValid = true;
}else{
isUserValid = false;
}
if (isUserValid) {
FacesContext context = FacesContext.getCurrentInstance();
this.request = (HttpServletRequest) context.getExternalContext().getRequest();
this.response = (HttpServletResponse) context.getExternalContext().getResponse();
this.session = request.getSession(true);
// if there's no session, it'll creat a new one due to the true flag
status = this.updateUserRecord();
if (status.equals("success")) {
if (null != this.session) {
session.setAttribute("sessionUsername", this.user.getUsername());
session.setAttribute("sessionProfileId", this.user.getProfile().getProfileId());
session.setAttribute("logged-in", "true");
System.out.println("Session username is --->" + session.getAttribute("sessionUsername"));
}
} else {
isUserValid = false;
FacesMessage msg = new FacesMessage("Something went wrong");
FacesContext.getCurrentInstance().addMessage(null, msg);
}
}
return isUserValid;
}
public String logOut() {
FacesContext context = FacesContext.getCurrentInstance();
System.out.println("inside logout method");
this.request = (HttpServletRequest) context.getExternalContext().getRequest();
if (null != this.request) {
this.session = request.getSession(false);
session.invalidate();
System.out.println("Session is now invalidated");
return "../index.xhtml?faces-redirect=true";
} else {
System.out.println("You're already signed out");
return null;
}
}
private String updateUserRecord() {
String status = null;
Date lastLoginDate=this.user.getLastLogin();
Date currentDate= new Date();
this.profileActiveness=this.user.getProfileActiveness();
SimpleDateFormat format = new SimpleDateFormat("yy-MM-dd HH:mm:ss");
try {
lastLoginDate = format.parse(lastLoginDate.toString());
currentDate = format.parse(currentDate.toString());
} catch (ParseException e) {
e.printStackTrace();
}
// Get msec from each, and subtract.
long diff = currentDate.getTime() - lastLoginDate.getTime();
long diffSeconds = diff / 1000;
long diffMinutes = diff / (60 * 1000);
long diffHours = diff / (60 * 60 * 1000);
System.out.println("Time: " + diff + " .");
System.out.println("Time in seconds: " + diffSeconds + " seconds.");
System.out.println("Time in minutes: " + diffMinutes + " minutes.");
System.out.println("Time in hours: " + diffHours + " hours.");
if(diffHours<12)
{
if(profileActiveness<8){
profileActiveness++;
profileActivenessPercentage=(int) (profileActiveness*12.5);
this.user.setProfileActiveness(this.profileActiveness);
}
}
if(diffHours>71)
{
if(profileActiveness>2){
profileActiveness-=2;
profileActivenessPercentage=(int) (profileActiveness*12.5);
this.user.setProfileActiveness(this.profileActiveness);
}
else{
profileActiveness=0;
}
}
this.user.setLastLogin(this.getCurrentDate());
this.user.setLoginStatus(true);
status = this.server.updateObject(this.user);
return status;
}
// ...
}
并且,在另一个名为MessagesManagedBean的托管bean(请求范围)中,当我尝试在用户登录后获取配置文件ID时,它就像魅力一样。
现在,我有两个问题:
答案 0 :(得分:3)
您致电chain.doFilter()后,response.sendRedirect()继续提出请求。 sendRedirect()仅使用新URL设置Location响应标头,然后浏览器将处理该URL。但是如果你继续chain.doFilter()的请求,那么整个JSF进程仍将被执行。
您需要在return;调用后添加sendRedirect()语句才能退出过滤器。
} else {
System.out.println("Session logged-in attribute is not true");
response.sendRedirect(contextPath);
return;
}
无关,您的会话范围bean中存在一个主要的设计错误。您永远不应将HTTP请求,响应和会话分配为bean的实例变量。这使您的会话范围bean threadunsafe。 删除所有这些属性,并在同一个方法块中声明它们为threadlocal。