我们有一个学校项目,必须制定一个JSF管理程序。用户可以具有用户权限或管理员权限。
管理员有权创建新用户。所有用户都存储在我们的数据库中。
我已经实现了某种登录系统,但是最近发现,如果我是没有管理员权限的用户,只要在URL栏中输入用于创建用户的.xhtml文件的名称,我仍然可以创建新用户。
为防止出现此问题,我必须使用登录筛选。
问题是我不知道该怎么做。
这是我的loginBean:
package at.htlpinkafeld.htlplusinformatik.presentation;
import at.htlpinkafeld.htlplusinformatik.dto.Benutzer.Right;
import at.htlpinkafeld.htlplusinformatik.service.HtlPlusService;
import java.io.IOException;
import java.io.Serializable;
import javax.faces.application.FacesMessage;
import javax.faces.bean.ManagedBean;
import javax.faces.bean.SessionScoped;
import javax.faces.context.FacesContext;
import org.apache.log4j.Level;
import org.apache.log4j.Logger;
import org.primefaces.context.RequestContext;
/**
*
* @author Daniel Altmann
*/
@ManagedBean(name = "loginBean")
@SessionScoped
public class LoginBean implements Serializable {
private static Logger logger = Logger.getLogger(LoginBean.class);
private HtlPlusService service = new HtlPlusService();
private String username;
private String password;
public LoginBean() {
logger.log(Level.DEBUG, "Created instance of LoginBean.");
}
public String getUsername() {
return username;
}
public void setUsername(String username) {
this.username = username;
}
public String getPassword() {
return password;
}
public void setPassword(String password) {
this.password = password;
}
public void login() throws IOException {
FacesContext context = FacesContext.getCurrentInstance();
RequestContext context2 = RequestContext.getCurrentInstance();
FacesMessage message = null;
boolean loggedIn = false;
for (int x = 0; x < service.getBenList().size(); x++) {
if (username != null && username.equals(service.getBenList().get(x).getName())
&& password != null && password.equals(service.getBenList().get(x).getPassword())
&& service.getBenList().get(x).getRight() == Right.ADMIN) {
loggedIn = true;
message = new FacesMessage(FacesMessage.SEVERITY_INFO, "Welcome", username);
context.getExternalContext().redirect("/HTL_Plus_Informatik/faces/AdminStart.xhtml");
context.getExternalContext().getFlash().setKeepMessages(true);
} else if (username != null && username.equals(service.getBenList().get(x).getName())
&& password != null && password.equals(service.getBenList().get(x).getPassword())
&& service.getBenList().get(x).getRight() == Right.USER) {
loggedIn = true;
message = new FacesMessage(FacesMessage.SEVERITY_INFO, "Welcome", username);
context.getExternalContext().redirect("/HTL_Plus_Informatik/faces/MitgliedStart.xhtml");
context.getExternalContext().getFlash().setKeepMessages(true);
} else {
loggedIn = false;
message = new FacesMessage(FacesMessage.SEVERITY_WARN, "Login Error!", "Username oder Passwort falsch!");
}
}
FacesContext.getCurrentInstance().addMessage(null, message);
context2.addCallbackParam("loggedIn", loggedIn);
logger.log(Level.INFO, "logged in");
}
public void logout() throws IOException{
FacesContext context = FacesContext.getCurrentInstance();
FacesMessage message;
RequestContext context2 = RequestContext.getCurrentInstance();
message = new FacesMessage(FacesMessage.SEVERITY_INFO, username, " logged out!");
context.getExternalContext().getFlash().setKeepMessages(true);
context.getExternalContext().redirect("/HTL_Plus_Informatik/faces/Login.xhtml");
//PrimeFaces.current().dialog().showMessageDynamic(message);
FacesContext.getCurrentInstance().addMessage(null, message);
context2.addCallbackParam("loggedIn", true);
logger.log(Level.INFO, "logged out");
}
}
我没有过滤器类,因为如果我创建一个项目,该项目甚至无法启动。
我检查了此线程:_.keys()
但是我仍然似乎无法弄清楚externalContext.getSessionMap()。put(“ user”,user)的作用或应该在哪里使用此命令。