JSF过滤器在初始重定向后不重定向

时间:2012-11-13 18:57:00

标签: jsf authentication redirect servlet-filters

我正在尝试设置webfilter并需要一些帮助。我的过滤器在初始登录时运行正常,但是当会话超时,并且我点击任何链接时,它会触发我的重定向语句,但浏览器中的网页永远不会被重定向。有人可以帮忙解决这个问题吗?非常感谢。

过滤

/*
 * To change this template, choose Tools | Templates
 * and open the template in the editor.
 */
package src;

import java.io.IOException;
import javax.faces.application.NavigationHandler;
import javax.faces.context.FacesContext;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.annotation.WebFilter;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;

/**
 *
 * @author Bernard
 */
@WebFilter(filterName = "LoginFilter", urlPatterns = {"/*"})
public class LoginFilter implements Filter {

    //FilterConfig fc;

    @Override
    public void init(FilterConfig filterConfig) throws ServletException {
        //fc = filterConfig;
    }

    @Override
    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
        HttpServletRequest req = (HttpServletRequest) request;
        HttpServletResponse res = (HttpServletResponse) response;
        HttpSession session = req.getSession(true);
        String pageRequested = req.getRequestURL().toString();
        Boolean authenticated = (Boolean) session.getAttribute("authenticated");

        if (authenticated == null) {
            authenticated = false;
        }
        if (!authenticated && !pageRequested.contains("login")) {     
            res.setStatus(301);
            res.sendRedirect(req.getContextPath() + "/login/login.xhtml");                        
        } else {
            chain.doFilter(request, response);
        }
    }

    @Override
    public void destroy() {
        //fc = null;
    }
}

faces-config.xml中

<?xml version='1.0' encoding='UTF-8'?>

<!-- =========== FULL CONFIGURATION FILE ================================== -->

<faces-config version="2.1"
              xmlns="http://java.sun.com/xml/ns/javaee"
              xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
              xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-facesconfig_2_1.xsd">

    <navigation-rule>
        <from-view-id>/*</from-view-id>

        <navigation-case>
            <from-outcome>success</from-outcome>
            <to-view-id>/index.xhtml</to-view-id>
            <redirect/>
        </navigation-case>

        <navigation-case>
            <from-outcome>failure</from-outcome>
            <to-view-id>/login/login.xhtml</to-view-id>
            <redirect/>
        </navigation-case>
    </navigation-rule>
</faces-config>

的web.xml

<?xml version="1.0" encoding="UTF-8"?>
<web-app version="3.0" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd">
    <context-param>
        <param-name>javax.faces.PROJECT_STAGE</param-name>
        <param-value>Development</param-value>
    </context-param>
    <servlet>
        <servlet-name>FacesServlet</servlet-name>
        <servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
        <load-on-startup>1</load-on-startup>
    </servlet>
    <servlet-mapping>
        <servlet-name>FacesServlet</servlet-name>
        <url-pattern>*.xhtml</url-pattern>
    </servlet-mapping>
    <session-config>
        <session-timeout>
            30
        </session-timeout>
    </session-config>
    <welcome-file-list>
        <welcome-file>/index.xhtml</welcome-file>
    </welcome-file-list>
    <filter>
        <filter-name>restrict</filter-name>
        <filter-class>src.LoginFilter</filter-class>
    </filter>
    <filter-mapping>
        <filter-name>restrict</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>  
</web-app>

验证Bean

/*
 * To change this template, choose Tools | Templates
 * and open the template in the editor.
 */
package src;

import java.math.BigInteger;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.util.Map;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.faces.bean.ManagedBean;
import javax.faces.bean.SessionScoped;
import javax.faces.context.ExternalContext;
import javax.faces.context.FacesContext;
import javax.servlet.ServletRequest;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpSession;

/**
 *
 * @author Bernard
 */
@ManagedBean
@SessionScoped
public class Authenticator {

    private String username;
    private String password;

    public String getUsername() {
        return username;
    }

    public void setUsername(String username) {
        this.username = username;
    }

    public String getPassword() {
        return password;
    }

    public void setPassword(String password) {
        this.password = password;
    }

    public String authenticateUser(ServletRequest request) {
        HttpServletRequest req = (HttpServletRequest) request;
        HttpSession session = req.getSession(true);
        session.setMaxInactiveInterval(30);
        Boolean authenticated = (Boolean) session.getAttribute("authenticated");

        Database pgDatabase = new Database();
        Admin foundAdmin = null;
        try {
            foundAdmin = (Admin) pgDatabase.findAdminByUsername(username);
        } catch (ClassNotFoundException ex) {
            Logger.getLogger(Authenticator.class.getName()).log(Level.SEVERE, null, ex);
        }

        Admin currentAdmin = new Admin();
        currentAdmin.userName = username;
        currentAdmin.password = this.hashPassword((password));
        if (authenticated != null && authenticated != true) {
            if (foundAdmin != null) {
                if (currentAdmin.equals(foundAdmin)) {
                    authenticated = true;
                    session.setAttribute("authenticated", true);
                    return "success";
                } else {
                    authenticated = false;
                    session.setAttribute("authenticated", false);
                    return "failure";
                }
            } else {
                authenticated = false;
                session.setAttribute("authenticated", false);
                return "failure";
            }
        } else {
            session.setAttribute("authenticated", true);
            authenticated = true;
            return "success";
        }
    }

    public String logOut() {
        FacesContext ctx = FacesContext.getCurrentInstance();
        ExternalContext extCtx = ctx.getExternalContext();
        Map<String, Object> sessionMap = extCtx.getSessionMap();
        sessionMap.put("authenticated", false);
        return "failure";
    }

    public String hashPassword(String passwordToHash) {
        String hashword = null;
        try {
            MessageDigest md5 = MessageDigest.getInstance("MD5");
            md5.update(password.getBytes());
            BigInteger hash = new BigInteger(1, md5.digest());
            hashword = hash.toString(16);
        } catch (NoSuchAlgorithmException nsae) {
        }
        return hashword;
    }
}

1 个答案:

答案 0 :(得分:10)

你的过滤器看起来很好(除了非常弱的url.contains("login")测试,并且2种方式错误地尝试将响应状态设置为301并且检查登录用户的方式有点差。)

我认为您的具体问题是由于您通过ajax链接而不是普通链接执行导航。您不能以这种方式发送ajax响应的重定向。 JSF ajax引擎和webbrowser都没有遵循关于JSF ajax响应的302重定向。客户端最终会得到一个完全被忽略的ajax响应。

相反,您应该发送一个特殊的XML响应,指示JSF ajax引擎发送重定向。正是在JSF上下文中发送的XML响应正是在ajax请求期间使用了ExternalContext#redirect()

<?xml version="1.0" encoding="UTF-8"?>
<partial-response>
    <redirect url="/contextpath/login/login.xhtml"></redirect>
</partial-response>

在servlet过滤器中,首先应检查请求是否涉及JSF ajax请求,如果是,则返回上述XML响应,否则只需按常规方式调用HttpServletResponse#sendRedirect()。您可以通过检查Faces-Request请求标头是否存在并且等于partial/ajax来执行此操作。

if ("partial/ajax".equals(request.getHeader("Faces-Request"))) {
    // It's a JSF ajax request.
}

所以,总而言之,你的doFilter()应该看起来像这样:

String loginURL = req.getContextPath() + "/login/login.xhtml";

if (!authenticated && !req.getRequestURI().equals(loginURL)) {
    if ("partial/ajax".equals(request.getHeader("Faces-Request"))) {
        res.setContentType("text/xml");
        res.getWriter()
            .append("<?xml version=\"1.0\" encoding=\"UTF-8\"?>")
            .printf("<partial-response><redirect url=\"%s\"></redirect></partial-response>", loginURL);
    } else {
        res.sendRedirect(loginURL);
    }
} else {
    chain.doFilter(request, response);
}