阻止用户手动访问页面

时间:2012-02-28 13:04:11

标签: jsf post redirect get

我已经实现了jsf阶段监听器,它检查用户是否进入了looged,如果没有将用户重定向到登录页面。

现在,我希望在用户手动输入的情况下实现阶段监听器 地址栏中的页面名称。在这种情况下,阶段监听器必须是自动的 将用户重定向到登录页面并销毁会话。

在JSF中如何做到这一点?

2 个答案:

答案 0 :(得分:2)

只需使用一个简单的servlet Filter,它映射到受限制网页的常见网址模式,如/app/*/pages/*/secured/*等。这是一个启动示例假设你有@SessionScoped @ManagedBean UserManager

@WebFilter(urlPatterns={"/app/*"})
public class AuthenticationFilter implements Filter {

    @Override
    public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException {
        HttpServletRequest request = (HttpServletRequest) req;
        HttpServletResponse response = (HttpServletResponse) res;
        HttpSession session = request.getSession(false);
        UserManager userManager = (session != null) ? (UserManager) session.getAttribute("userManager") : null;

        if (userManager == null || !userManager.isLoggedIn()) {
            response.sendRedirect(request.getContextPath() + "/login.xhtml"); // No logged-in user found, so redirect to login page.
        } else {
            chain.doFilter(req, res); // Logged-in user found, so just continue request.
        }
    }

    // ...
}

答案 1 :(得分:0)

我在JSF 1.2上并且这样做:

public void beforePhase(PhaseEvent event) 
{
    FacesContext fCtx = FacesContext.getCurrentInstance();
    String actualView = null;
    actualView = event.getFacesContext().getApplication().getViewHandler().getResourceURL(fCtx, fCtx.getViewRoot().getViewId());  
    //actualView is the page the user wants to see
    //you can check, if the user got the permission, is logged in, whatever
}

public PhaseId getPhaseId() 
{
    return PhaseId.RENDER_RESPONSE;
}