Primefaces登录应用程序

时间:2012-10-01 04:10:29

标签: java jsf java-ee web-applications primefaces

  

可能重复:
  JSF HTTP Session Login

我正在使用Primefaces来实现我的Web应用程序。在我的实现中,用户可以登录系统,然后他们可以通过复制该URL而无需再次登录来再次加载重定向的页面。我该如何防止这种情况?

这是我的登录逻辑:

public String doLogin() {
    if(username != null  &&
        username.equals("admin") &&
        password != null  &&
        password.equals("admin")) {
        msg = "table?faces-redirect=true";
    } else
        if(user_name.contains(username) &&
            pass_word.contains(password) &&
            !user_name.contains("admin")) {
            msg = "table1?faces-redirect=true";
        }
    }
    return msg;
}

2 个答案:

答案 0 :(得分:2)

如果用户会话尚未过期,则这是Web应用程序的正常行为。如果会话已过期,则必须确保有一个已登录的用户,并且该用户有权访问他/她在URL中使用的页面。您可以使用过滤器来实现此目的。

我假设你的网络应用程序在Tomcat 7或GlassFish 3.x等Java EE 6容器上:

@WebFilter(filterName = "MyFilter", urlPatterns = {"/*.xhtml"})
public class MyFilter implements Filter {

    public void doFilter(
        ServletRequest request, ServletResponse response, FilterChain chain)
        throws IOException, ServletException {

        //get the request page
        String requestPath = httpServletRequest.getRequestURI();
        if (!requestPath.contains("home.xhtml")) {
            boolean validate = false;
            //getting the session object
            HttpServletRequest httpServletRequest = (HttpServletRequest) request;
            HttpSession session = (HttpSession)httpServletRequest.getSession();
            //check if there is a user logged in your session
            //I'm assuming you save the user object in the session (not the managed bean).
            User user = (User)session.get("LoggedUser");
            if (user != null) {
                //check if the user has rights to access the current page
                //you can omit this part if you only need to check if there is a valid user logged in
                ControlAccess controlAccess = new ControlAccess();
                if (controlAccess.checkUserRights(user, requestPath)) {
                    validate = true;
                    //you can add more logic here, like log the access or similar
                }
            }
            if (!validate) {
                HttpServletResponse httpServletResponse = (HttpServletResponse) response;
                httpServletResponse.sendRedirect(
                    httpServletRequest.getContextPath() + "/home.xhtml");
            }
        }
        chain.doFilter(request, response);
    }
}

ControlAccess类的一些实现:

public class ControlAccess {

    public ControlAccess() {
    }

    public boolean checkUserRights(User user, String path) {
        UserService userService = new UserService();
        //assuming there is a method to get the right access for the logged users.
        List<String> urlAccess = userService.getURLAccess(user);
        for(String url : urlAccess) {
            if (path.contains(url)) {
                return true;
            }
        }
        return false;
    }
}

在寻找解释这个问题的好方法时,我找到了BalusC(JSF专家)的更好答案。这是基于JSF 2的:

答案 1 :(得分:0)

您可以form based authentication保护您的内页不被未经身份验证的用户访问。

您也可以让容器使用JDBC领域身份验证为您处理身份验证,如this example

相关问题
最新问题