如何限制未经授权的用户直接在jsf中访问页面

时间:2014-02-06 14:06:57

标签: jsf jsf-2 servlet-filters

如果用户未经授权,我试图限制用户访问任何页面。我正在使用jsf 2.2和primefaces。以下是我的代码:

我的过滤器

@WebFilter(filterName = "AuthFilter", urlPatterns = { "*.xhtml" })
public class AuthFilter implements Filter {

    @Override
    public void init(FilterConfig filterConfig) throws ServletException {
    }

    @Override
    public void doFilter(ServletRequest req, ServletResponse res,
            FilterChain chain) throws IOException, ServletException {
        try {


            HttpServletRequest request = (HttpServletRequest) req;
            HttpServletResponse response = (HttpServletResponse) res;
            HttpSession session = request.getSession(false);

            String user = (session != null) ? session.getAttribute("username")
                    .toString() : null;

            String loginURL = request.getContextPath() + "/ldapLogin.xhtml";
            boolean loginRequest = request.getRequestURI().startsWith(loginURL);
            boolean resourceRequest = request.getRequestURI().startsWith(
                    request.getContextPath()
                            + ResourceHandler.RESOURCE_IDENTIFIER);
            if (user != null || loginRequest) 
                chain.doFilter(request, response);
            } else {
                response.sendRedirect(request.getContextPath()
                        + "/ldapLogin.xhtml");
            }

        } catch (Throwable t) {
            System.out.println(t.getMessage());
        }
    } 

当我的会话未经过验证或者我正在尝试直接访问某个页面但是无法重定向到 ldapLogin.xhtml

时,我的控件进入了其他状态

Web.xml

<context-param>
    <param-name>javax.servlet.jsp.jstl.fmt.localizationContext</param-name>
    <param-value>ApplicationResources</param-value>
  </context-param>
  <context-param>
    <param-name>javax.servlet.jsp.jstl.fmt.fallbackLocale</param-name>
    <param-value>en</param-value>
  </context-param>
  <context-param>
    <param-name>contextConfigLocation</param-name>
    <param-value>
             /WEB-INF/applicationContext-dao.xml,
             /WEB-INF/springLdap-security.xml
        </param-value>
  </context-param>
  <context-param>
    <param-name>javax.faces.PROJECT_STAGE</param-name>
    <param-value>Development</param-value>
  </context-param>
  <context-param>
    <param-name>javax.faces.STATE_SAVING_METHOD</param-name>
    <param-value>client</param-value>
  </context-param>
  <context-param>
    <param-name>javax.faces.DEFAULT_SUFFIX</param-name>
    <param-value>.xhtml</param-value>
  </context-param>
  <context-param>
    <param-name>javax.faces.FACELETS_LIBRARIES</param-name>
    <param-value>
            /WEB-INF/taglibs/acegijsf.taglib.xml
        </param-value>
  </context-param>
  <context-param>
    <param-name>primefaces.THEME</param-name>
    <param-value>bootstrap</param-value>
  </context-param>
  <context-param>
    <param-name>org.omnifaces.FACES_VIEWS_SCAN_PATHS</param-name>
    <param-value>/*.xhtml</param-value>
  </context-param>
  <listener>
    <listener-class>com.sun.faces.config.ConfigureListener</listener-class>
  </listener>
  <listener>
    <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
  </listener>
  <servlet>
    <servlet-name>faces</servlet-name>
    <servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
    <load-on-startup>1</load-on-startup>
  </servlet>
  <servlet-mapping>
    <servlet-name>faces</servlet-name>
    <url-pattern>*.xhtml</url-pattern>
  </servlet-mapping>

  <welcome-file-list>
  <welcome-file>ldapLogin.xhtml</welcome-file>

LoginLdap.java

public String ldapLoginAuthentcator() {
        if (contact != null) {
            HttpSession session = FilterUtil.getSession();
            session.setAttribute("username", user.getName());
            return "success";
        } else {
FacesContext.getCurrentInstance().addMessage(null,
    new FacesMessage(FacesMessage.SEVERITY_WARN,"Invalid Login!", "Please TryAgain!"));
            return "login";
        }

最后 FilterUtil.java

public class FilterUtil {

      public static HttpSession getSession() {
   return(HttpSession)FacesContextgetCurrentInstance().getExternalContext().getSession(true);
      }

}

我不知道问题是什么,但是当我尝试访问某个页面时,即使我已获得授权或我的会话未经过验证,但我仍然可以访问该页面。任何帮助都会被挪用。所有页面当前与未放置在web-inf文件夹中的公共文件位于相同的根路径中。

更新:

当我尝试在没有有效会话的情况下直接访问页面时,例如,如果我尝试访问http://192.35.36.178:8042/SOW/start并且它进入我的过滤并成功过滤但是没有发生重定向,当我尝试检查它时用萤火虫将其重定向到一些不同的星球。它实际上重定向到

 "http:172.36.98.658//8042/SOW/javax.faces.resource/theme.css.xhtml?ln=primefaces-bootstrap"

状态 302找到而不是重定向到 response.sendRedirect(request.getContextPath()+&#34; /ldapLogin.xhtml") 以及当我试图检查 contextPath 时显示 / sow

1 个答案:

答案 0 :(得分:0)

我将告诉你如何在不使用Filter或PhaseListener的情况下完成它。

如果您使用模板化,最好的方法,然后将此行放在模板的正文中,或者在每个要限制访问的页面中(如果没有模板):

<f:event type="preRenderView" listener="#{yourBean.checkPermissions}"/>

在模板中:

<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml"
      xmlns:f="http://java.sun.com/jsf/core"
      xmlns:h="http://java.sun.com/jsf/html"
      xmlns:ui="http://java.sun.com/jsf/facelets"
      >
<h:head>
    <meta charset="UTF-8" />
    <meta http-equiv="content-type" content="text/html; charset=UTF-8" />
    <h:outputStylesheet name="stylesheet.css"/>    
    <title>${pageTitle}</title>
    <meta http-equiv="keywords" content="${metaKeywords}" />
    <meta http-equiv="description" content="${metaDescription}" />
</h:head>

<body>
<f:event type="preRenderView" listener="#{yourBean.checkPermissions}"/>
...
在你的Bean中

添加如下的监听器方法:

    public void checkPermissions(ComponentSystemEvent event) {

        FacesContext fc = FacesContext.getCurrentInstance();
        HttpSession httpSession = (HttpSession)(fc.getExternalContext().getSession(false)); 
        String cid = (String) httpSession.getAttribute(AttributeName.ADMINISTRATOR_CLIENT_LOGIN_ID);
        if( cid == null){
            ConfigurableNavigationHandler handler = (ConfigurableNavigationHandler)fc.getApplication().getNavigationHandler();
            handler.performNavigation(this.navi.getClientLogin().getLink());
            return;
        }
        ....
        ....
    }

更新:使用Filter的一个工作示例(我测试了它使用JSF2.2 Mojarra 2.2,Tomcat 7):

web.xml 中编辑/添加/:

....
  <servlet>
    <servlet-name>Faces Servlet</servlet-name>
    <servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
    <load-on-startup>1</load-on-startup>
  </servlet>
  <servlet-mapping>
    <servlet-name>Faces Servlet</servlet-name>
    <url-pattern>*.xhtml</url-pattern>
  </servlet-mapping>


....

这是一个Sample Filter Impl。:

import java.io.IOException;

import javax.faces.application.ResourceHandler;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.annotation.WebFilter;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;

@WebFilter(filterName = "AuthFilter", urlPatterns = { "*.xhtml" })
public class AuthFilter implements Filter {

    @Override
    public void init(FilterConfig filterConfig) throws ServletException {
    }

    @Override
    public void doFilter(ServletRequest req, ServletResponse res,
            FilterChain chain) throws IOException, ServletException {
        try {
            System.out.println("doFilter ...");
            HttpServletRequest request = (HttpServletRequest) req;
            HttpServletResponse response = (HttpServletResponse) res;
            HttpSession session = request.getSession(false);
            String user = (session != null) ? (String)session.getAttribute("username") : null;
            String loginURL = request.getContextPath() + "/ldapLogin.xhtml";
            boolean loginRequest = request.getRequestURI().startsWith(loginURL);
            boolean resourceRequest = request.getRequestURI().startsWith(request.getContextPath()+ ResourceHandler.RESOURCE_IDENTIFIER);
            if (user != null || loginRequest) {
                chain.doFilter(request, response);
            } else {
                response.sendRedirect(request.getContextPath() + "/ldapLogin.xhtml");
            }
        } catch (Exception ex) {
            ex.printStackTrace();
        }
    }

    @Override
    public void destroy() {
        //      
    }
}