使用JAAS和JSF在基于容器的登录后重定向用户

时间:2011-01-28 11:57:04

标签: login jsf-2 jaas

我正在尝试完成基于jsf2的表单登录,用户可以在重定向到login-page后直接转到他选择的网址。如何实现这一目标?我当前的设置如下(使用glassfish 3

WEB.XML 

<login-config>
    <auth-method>FORM</auth-method>
    <form-login-config>
        <form-login-page>/login.jsf</form-login-page>
        <form-error-page>/login.jsf</form-error-page>
    </form-login-config>
</login-config>
<security-constraint> //(omitted) all pages except login.jsf requires login </security-constraint>

会话作用域托管bean处理登录

public String login(){
    try{
        FacesContext context = FacesContext.getCurrentInstance();
        HttpServletRequest request = (HttpServletRequest) context.getExternalContext().getRequest();
        request.login(username, pwd);
        loggedInUser = userBean.findByLogin(username);
        username = null;
        pwd = null;
        //context.getExternalContext().redirect((String)request.getAttribute("from"));
        return "/index?faces-redirect=true";

    } catch(Exception e){
        logger.log(Level.FINE, "login failed: {0}", e.getMessage());
        JsfUtil.addErrorMessage("Login failed");
        return null;
    }
}

从另一个问题我得到提示使用过滤器而不是包含的已处理重定向到登录页面,并在重定向之前将URL存储为请求中的属性,如下所示:

public class LoginFilter implements Filter {
    private String loginPage = "/login.jsf";

    @Override
    public void init(FilterConfig filterConfig) throws ServletException {
    }

    @Override
    public void doFilter(ServletRequest request, ServletResponse response, FilterChain filterChain) throws IOException,
        ServletException {
        if ((request instanceof HttpServletRequest) && (response instanceof HttpServletResponse)) {
            HttpServletRequest httpServletRequest = (HttpServletRequest) request;
            HttpServletResponse httpServletResponse = (HttpServletResponse) response;
            // is session expire control required for this request?
            if (httpServletRequest.getUserPrincipal() == null) {
                // User is not logged in, redirect to login page.
                httpServletRequest.setAttribute("from", httpServletRequest.getRequestURI());
                httpServletResponse.sendRedirect(loginPage);
            }
            else
                filterChain.doFilter(request, response);
        }
    }

    @Override
    public void destroy() {
    }

}

将url-pattern设置为与所有安全性约束的总和相同。问题是如何将其与基于容器的登录相结合。将login-config auth方法保留为FORM会导致过滤器不被执行。删除它会将auth方法设置为BASIC,其中1.导致我的表单不出现,并且2.Web浏览器自动将httpServletRequest.getUserPrincipal()设置为缓存值,因此即使执行了过滤器,if-声明永远是假的。据我所知,即使会话无效,也无法阻止浏览器执行此操作。

有没有解决方案?

0 个答案:

没有答案
相关问题
最新问题