我目前正在使用过滤器来检查SSO身份验证。 (如果请求标头包含变量" Proxy-Remote-User"),则认为SSO已经过身份验证。
if (!(isSsoLoggedIn(request)) {
response.sendRedirect(ERROR_PAGE);
return;
} else {
chain.doFilter(req, res);
}
private boolean isSsoLoggedIn(HttpServletRequest request) {
return request != null && request.getHeader("Proxy-Remote-User") != null
&& !request.getHeader("Proxy-Remote-User").equals("");
}
现在,一旦用户通过身份验证,我想将该变量(这是一个电子邮件地址)传递给JSF。我使用会话范围的bean来做到这一点:
@PostConstruct
public void init {
Map<String, String> requestHeaderMap = FacesContext.getCurrentInstance().getExternalContext().getRequestHeaderMap();
String email = requestHeaderMap.get("Proxy-Remote-User");
user = getPersonFromDB(email);
}
这看起来很简单,但我不确定它是否正确&#34;这样做的方式。依靠bean的实例来验证身份验证似乎不正确。
我刚才有一个想法:使用CDI会话范围的bean并将其注入过滤器。然后,您可以让过滤器本身检查有效用户,如果有效,则将其设置在会话范围的bean中,否则将其转发到错误页面。
这听起来像是有效的解决方案吗?
另一种方法可能是在呈现视图之前让每个页面检查身份验证,并使用如下所述的视图参数:
JSF calls methods when managed bean constructor sends 404 ERROR CODE
<f:metadata>
<f:viewAction action="#{bean.checkForValidUser}" />
</f:metadata>
我唯一的问题是......这需要将相同的代码复制/粘贴到每个看似多余的页面(或者至少是一个模板供他们使用)。
答案 0 :(得分:1)
以下是我提出的答案(感谢@BalusC的一些提示)。
我检查开发人员登录是否已启用或SSO是否已通过身份验证。一旦我有了电子邮件地址,我就会看到它是否是一个有效的用户,验证JSF会话是否包含正确的用户,如果是,请转发它们。
/**
* This filter handles SSO login (or developer login) privileges to the web
* application.
*/
@WebFilter(servletNames = "Faces Servlet")
public class SecurityFilter implements Filter {
@Inject
private SessionManager sessionManager;
@EJB
private PersonWriteFacadeRemote personFacade;
private HttpServletRequest currentRequest;
private HttpServletResponse currentResponse;
@Override
public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException {
currentRequest = (HttpServletRequest) req;
currentResponse = (HttpServletResponse) res;
HttpSession session = currentRequest.getSession();
String requestedPage = currentRequest.getRequestURI();
// check if the session is initialized
// if not, initialize it
if (!isSessionInitialized()) {
Person user = getCurrentUser();
// if we can't figure out who the user is, then send 401 error
if (user != null) {
initializeSession(user);
} else {
currentResponse.sendError(HttpServletResponse.SC_UNAUTHORIZED);
return;
}
// if it is initialized, check if it actually matches the current
// user
// if not, invalidate the session and redirect them back to the page
// to reinitialize it
} else if (!isSessionCurrentUsers()) {
session.invalidate();
currentResponse.sendRedirect(requestedPage);
return;
}
chain.doFilter(req, res); // If all looks good, continue the request
}
@Override
public void init(FilterConfig filterConfig) throws ServletException {
}
@Override
public void destroy() {
}
private Person getCurrentUser() {
try {
return personFacade.createFromEmail(getUserEmail());
} catch (InvalidAttributesException ex) {
Logger.getLogger(SecurityFilter.class.getName()).log(Level.SEVERE, null, ex);
return null;
}
}
private String getUserEmail() {
return isDevLoginEnabled() ? getUserEmailFromJndi() : getUserEmailFromSso();
}
private String getUserEmailFromJndi() {
return JNDI.lookup("devLoginEmail");
}
private String getUserEmailFromSso() {
return currentRequest != null && currentRequest.getHeader("Proxy-Remote-User") != null
&& !currentRequest.getHeader("Proxy-Remote-User").equals("")
? currentRequest.getHeader("Proxy-Remote-User") : null;
}
private boolean isDevLoginEnabled() {
Boolean devLoginEnabled = JNDI.lookup("devLoginEnabled");
return (devLoginEnabled != null ? devLoginEnabled : false);
}
private boolean isSessionInitialized() {
return sessionManager.getUser() != null;
}
private void initializeSession(Person user) {
sessionManager.initializeSession(user);
}
private boolean isSessionCurrentUsers() {
return sessionManager.getUser() != null && sessionManager.getUser().getEmail() != null
&& sessionManager.getUser().getEmail().equals(getUserEmail());
}
}