我已将我的应用程序配置为使用OmniFaces's Extensionless URLs功能,但现在我在web.xml中启用了安全性,无扩展请求不会被<security-constraint>捕获。
的web.xml
<!-- JSF configuration -->
<context-param>
<param-name>javax.faces.PROJECT_STAGE</param-name>
<param-value>Development</param-value>
</context-param>
<context-param>
<param-name>javax.faces.FACELETS_SKIP_COMMENTS</param-name>
<param-value>true</param-value>
</context-param>
<context-param>
<param-name>javax.faces.INTERPRET_EMPTY_STRING_SUBMITTED_VALUES_AS_NULL</param-name>
<param-value>true</param-value>
</context-param>
<!-- OmniFaces configuration -->
<context-param>
<param-name>org.omnifaces.FACES_VIEWS_SCAN_PATHS</param-name>
<param-value>/*.xhtml</param-value>
</context-param>
<!-- Servlets and filters. -->
<servlet>
<servlet-name>facesServlet</servlet-name>
<servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>facesServlet</servlet-name>
<url-pattern>*.xhtml</url-pattern>
</servlet-mapping>
<!-- Welcome files, error pages and mime types. -->
<welcome-file-list>
<welcome-file>index.xhtml</welcome-file>
</welcome-file-list>
<!-- Security constraints -->
<security-constraint>
<web-resource-collection>
<web-resource-name>Allowed resources</web-resource-name>
<url-pattern>/javax.faces.resource/*</url-pattern>
</web-resource-collection>
</security-constraint>
<security-constraint>
<display-name>SSL transport</display-name>
<web-resource-collection>
<web-resource-name>Secure Area</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>ADMINISTRATOR</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<!-- Security roles -->
<security-role>
<role-name>ADMINISTRATOR</role-name>
</security-role>
<!-- Login config -->
<login-config>
<auth-method>FORM</auth-method>
<realm-name>myRealm</realm-name>
<form-login-config>
<form-login-page>/login.xhtml</form-login-page>
<form-error-page>/login.xhtml</form-error-page>
</form-login-config>
</login-config>
login.xhtml
<h:form>
<h:panelGrid columns="1">
<h:outputText value="Username:" />
<h:inputText id="username" required="true"
value="#{appSession.loginUsername}"
requiredMessage="Username is required" />
<h:message for="username" />
<hr />
<h:outputText value="Password:" />
<h:inputSecret id="password" required="true"
value="#{appSession.loginPassword}"
requiredMessage="Password is required" />
<h:message for="password" />
<h:commandButton value="Login" action="#{appSession.login}" />
</h:panelGrid>
<h:messages globalOnly="true" showDetail="false" />
</h:form>
AppSession.java
@SessionScoped
@ManagedBean
public class AppSession {
private String loginUsername;
private String loginPassword;
public AppSession() { }
public String login() {
try {
Faces.login(loginUsername, loginPassword);
return "index.xhtml?faces-redirect=true";
} catch (ServletException e) {
e.printStackTrace();
return "login.xhtml";
}
}
public void logout() throws IOException {
Faces.invalidateSession();
Faces.redirect("index.xhtml");
}
//Getters and setters
}
因此,如果我浏览到index.xhtml,它会被正确地重定向到login。但是,如果我浏览到index,则没有重定向,并允许浏览器从index下载内容。我知道这正是web.xml <url-pattern>*.xhtml</url-pattern>中指定的内容,但是如何配置应用程序,以便无扩展的URL也会受到登录的限制?
如果我在<url-pattern>/*</url-pattern>下使用<security-constraint>尝试此操作,则会成功重定向,但在这种情况下我的登录表单不起作用。我必须使用JSF进行编程登录,因为我想重用webservices的凭据。任何想法,所以我得到一个有效的配置?
我在GlassFish 4.1上使用OmniFaces 2.0,Mojarra 2.2.7。
答案 0 :(得分:2)
如果我将src和login添加到允许的资源,问题就解决了:
login.xhtml