使BASIC login-config无效并不显示重新登录提示

时间:2017-12-17 17:18:32

标签: jsf httpsession invalidation

我正在尝试使用jsf创建一个简单的身份验证。我可以使用BASIC login-config登录,但会话似乎无效,会话仍然存在。这是处理注销的bean:

@SessionScoped
@ManagedBean(name="security")
public class SecurityController {
    Logger logger = Logger.getLogger(SecurityController.class);
    public SecurityController() {
    }
    public String logout() {
        logger.error(FacesContext.getCurrentInstance().getExternalContext().getRemoteUser());
        FacesContext.getCurrentInstance().getExternalContext().invalidateSession();
        logger.error(FacesContext.getCurrentInstance().getExternalContext().getRemoteUser());
        return "users?faces-redirect=true";
    }
}

控制台显示以下消息:

00:08:32,478 WARN  [com.jsf.bean.SecurityController] (default task-14) admin
00:08:32,479 WARN  [com.jsf.bean.SecurityController] (default task-14) admin

我认为invalidateSession()无效,因为用户仍然存在。

修改 

@SessionScoped
@ManagedBean(name="security")
public class SecurityController {
    Logger logger = Logger.getLogger(SecurityController.class);
    public SecurityController() {
    }
    public String logout() {
        //Before
        HttpSession sessionbefore = (HttpSession) FacesContext.getCurrentInstance().getExternalContext().getSession(false);
        logger.warn("ID: " + sessionbefore.getId());

        //Invalidating
        FacesContext.getCurrentInstance().getExternalContext().invalidateSession();

        // After
        HttpSession sessionafter = (HttpSession) FacesContext.getCurrentInstance().getExternalContext().getSession(false);
        logger.warn("ID: " + sessionafter.getId());//java.lang.NullPointerException
        return "users?faces-redirect=true";
    }
}

我想在无效之前和之后比较会话ID。它显示空指针异常。所以我认为会话无效是有效的。 注销后我希望得到relogin提示。但事实并非如此,我仍然可以在退出后访问我的网站。

这是我的web.xml:

<servlet>
    <servlet-name>Faces Servlet</servlet-name>
    <servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
    <load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
    <servlet-name>Faces Servlet</servlet-name>
    <url-pattern>*.xhtml</url-pattern>
</servlet-mapping>
<welcome-file-list>
    <welcome-file>index.xhtml</welcome-file>
</welcome-file-list>
<security-constraint>
    <web-resource-collection>
        <web-resource-name>loggedin</web-resource-name>
        <url-pattern>/*</url-pattern>
        <http-method>GET</http-method>
        <http-method>POST</http-method>
    </web-resource-collection>
    <auth-constraint>
        <role-name>ROLE_LOGISTICS</role-name>
    </auth-constraint>
</security-constraint>
<login-config>
    <auth-method>BASIC</auth-method>
    <realm-name>RealmUsersRoles</realm-name>
</login-config>
<security-role>
    <role-name>ROLE_LOGISTICS</role-name>
</security-role>

此注销按钮用于调用注销bean:

<h:form>
    <h:commandLink value="logout" action="#{security.logout()}"></h:commandLink>
</h:form>

0 个答案:

没有答案
相关问题
最新问题