我已经使用Glassfish 3.1 + JDBCRealm + MySQL(MD5)实现了基于FORM的认证。我只有两个角色,用户和管理员。一切都很顺利,我可以从日志中看到身份验证在两种情况下都可以作为一个用户和一个管理员(下面的监视日志)
Q1:是否可以制作两个不同的索引文件,以便当用户为admin时,他/她转到/admin/index.xhtml,当用户处于角色用户时,他会直接进入to faces / user / index.xhtml?
Q2:现在当我以用户身份登录时,我仍然可以转到“管理员端”,只需将整个链接直接写入浏览器中的地址字段,为什么ja如何避免?
问题3:当我以用户身份登录并且我只在欢迎文件列表中面对/ admin / index.xhtml时,即使xml文件说明其他内容,它也会将我重定向到该文件,为什么?
<welcome-file-list>
<welcome-file>faces/admin/index.xhtml</welcome-file> *?? ----> it goes always here, cause it is the first one I think?*
<welcome-file>faces/user/index.xhtml</welcome-file>
</welcome-file-list>
<security-constraint>
<display-name>Admin Pages</display-name>
<web-resource-collection>
<web-resource-name>Protected Admin Area</web-resource-name>
<description/>
<url-pattern>/faces/admin/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
<http-method>HEAD</http-method>
<http-method>PUT</http-method>
<http-method>OPTIONS</http-method>
<http-method>TRACE</http-method>
<http-method>DELETE</http-method>
</web-resource-collection>
<auth-constraint>
<description/>
<role-name>admin</role-name>
</auth-constraint>
</security-constraint>
<security-constraint>
<display-name>User Pages</display-name>
<web-resource-collection>
<web-resource-name>Protected Users Area</web-resource-name>
<description/>
<url-pattern>/faces/users/*</url-pattern>
<!--url-pattern>/faces/users/index.xhtml</url-pattern-->
<http-method>GET</http-method>
<http-method>POST</http-method>
<http-method>HEAD</http-method>
<http-method>PUT</http-method>
<http-method>OPTIONS</http-method>
<http-method>TRACE</http-method>
<http-method>DELETE</http-method>
</web-resource-collection>
<auth-constraint>
<description/>
<role-name>user</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<realm-name>JDBCRealm</realm-name>
<form-login-config>
<form-login-page>/faces/loginForm.xhtml</form-login-page>
<form-error-page>/faces/loginError.xhtml</form-error-page>
</form-login-config>
</login-config>
</web-app>
LOG:
FINE: Login module initialized: class com.sun.enterprise.security.auth.login.JDBCLoginModule
FINEST: JDBC login succeeded for: admin groups:[admin, user]
FINE: JAAS login complete.
FINE: JAAS authentication committed.
FINE: Password login succeeded for : admin
FINE: Set security context as user: admin
FINE: [Web-Security] Setting Policy Context ID: old = null ctxID = jdbcrealm/jdbcrealm
FINE: [Web-Security] hasUserDataPermission perm: (javax.security.jacc.WebUserDataPermission GET)
FINE: [Web-Security] hasUserDataPermission isGranted: true
FINE: [Web-Security] Policy Context ID was: jdbcrealm/jdbcrealm
FINE: [Web-Security] Codesource with Web URL: file:/jdbcrealm/jdbcrealm
FINE: [Web-Security] Checking Web Permission with Principals : null
(myfear的回答后编辑) -----在glassfish-web.xml 我有这样的角色。如果我理解正确,则意味着admin属于组:admin,customer和user。客户属于组:客户和用户,用户属于组用户。我理解正确吗?
<security-role-mapping>
<role-name>admin</role-name>
<group-name>admin</group-name>
<group-name>customer</group-name>
<group-name>user</group-name>
</security-role-mapping>
<security-role-mapping>
<role-name>customer</role-name>
<group-name>customer</group-name>
<group-name>user</group-name>
</security-role-mapping>
<security-role-mapping>
<role-name>user</role-name>
<group-name>user</group-name>
</security-role-mapping>
</glassfish-web-app>
谢谢! 萨米
答案 0 :(得分:1)
我刚刚在大学课程中尝试过此操作,这就是我获得您认为需要的功能的方式。 我正在将Netbeans与Glassfish 4.1.1服务器一起使用,并且已经在服务器文件领域中配置了用户角色。
我的项目有3个文件:
index.xhtml
users/mainmenu.xhtml
admin/mainmenu.xhtml
欢迎页面设置为index.xhtml
,其中包含以下超链接:
<h4>
<a href="/ED-Secure-war/faces/admin/mainmenu.xhtml">
Admin Login
</a>
</h4>
<h4>
<a href="/ED-Secure-war/faces/user/mainmenu.xhtml">
User Login
</a>
</h4>
In my web.xml security section I have the following roles configured
现在,由于通过用户组限制了对它们的访问,因此当您单击索引上的超链接时,将提示您登录。如果您为admin链接输入有效的admin登录名,您将被重定向到admin/mainmenu.xhtml
,反之亦然。
答案 1 :(得分:0)
A1)欢迎文件与角色无关。如果您需要为调度用户执行任何类型的逻辑,您需要考虑使用布尔HttpServletRequest.isUserInRole(字符串角色)或类似的东西来找出用户所在的角色。
A2)这不应该发生。您需要检查JDBCRealm中的角色。对于我在这里看到的,一切都以正确的方式配置。
A3)我不确定我是否理解你的评论“XML”文件的正确方法。但欢迎文件不受角色约束,而且......参见A1)
谢谢, 中号
答案 2 :(得分:0)
对于您的问题1:使用过滤器,您可以将用户重定向到特定页面userlogin.xhtml或adminlogin.xhtml
public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
String userName = SecurityAssociation.getPrincipal().getName();
String userNameSubject = SecurityAssociation.getSubject().toString();
System.out.println("Yeeey! Get me here and find me in the database: " + userName+ " Subject : "+userNameSubject);
filterChain.doFilter(servletRequest, servletResponse);
}