HttpServletRequest.getSession(false)在webFilter

时间:2018-10-01 23:19:07

标签: jsf-2 jboss wildfly servlet-filters httpsession

我有一个在Wildfly 10上运行的JSF应用程序,并使用webfilter Filter.java 检查用户是否已登录(此处显示doFilter方法):

@WebFilter("/*")
public class Filter implements javax.servlet.Filter {
@Override
  public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain)
      throws ServletException, IOException {

    HttpServletRequest request = (HttpServletRequest) req;
    HttpServletResponse response = (HttpServletResponse) res;
    String requestURI = request.getRequestURI().replaceFirst(";.*", "");


    HttpSession session = request.getSession(false);
    if (session != null && session.getAttribute("user") != null) {
      // User already logged in ...continue
      chain.doFilter(request, response);
      return;
    }

    if ("partial/ajax".equals(request.getHeader("Faces-Request"))) {
      // If ajax request, return special XML response instructing JSF ajax to send a redirect.
      response.setContentType("text/xml");
      response.setCharacterEncoding("UTF-8");
      response.getWriter().printf(LoginCheckFilter.AJAX_REDIRECT_XML, loginURL);
    } else {
      // User not logged in.Forward to login page
      response.sendRedirect(loginURL);
    }
  }

此外,我还有一个SessionScoped Bean LoginBean.java ,用于登录用户。每次登录都会使用getSession(true)创建一个新会话:

@Named("loginBean")
@SessionScoped
@URLBeanName("loginBean")
public class LoginBean extends BasePageBean {


  /**
   * Login user
   */
  public void login() {
    HttpSession session = getSession(true);
    try {
      // login and redirect to correct page ......
    } catch (Throwable t) {

      return;
    }
  }

一切正常。但是,当我在一个浏览器选项卡上登录并尝试在第二个浏览器选项卡上登录时,我必须单击两次登录按钮才能登录。调试时,我第一次尝试就看到了

 HttpSession session = request.getSession(false);

Filter.java中的

返回Null,并且用户再次重定向到登录页面,尽管loginBean使用以下命令创建了一个新会话:

 HttpSession session = getSession(true);

仅当第二次单击登录按钮时,登录成功。尽管我在每次登录尝试中都在我的loginBean中显式创建一个新会话,但该会话如何在此处为null。这是网络钓鱼防护吗?还是与LoginBean的范围有关?我现在对此有些困惑。

getSession 方法如下:

public static HttpSession getSession(boolean newSession) {
    FacesContext facescontext = FacesContext.getCurrentInstance();
    if (facescontext == null)
      return null;
    ExternalContext contx = (ExternalContext) facescontext.getExternalContext();
    if (contx == null)
      return null;
    if (newSession) {
      contx.invalidateSession();
    }
    return (HttpSession) contx.getSession(true);
  }

谢谢

0 个答案:

没有答案
相关问题
最新问题