在模板中插入一些支票有问题吗? [英] Are there some issue at inserting some check into template?

问题描述

如果我在模板文件中插入一些检查，是否存在一些问题?例如，如果我将用户检查插入模板的xhtml文件中，那么如果我在所有xhtml页面中都使用此模板，可能会遇到一些安全问题?

Are there some issues if I insert some check into the template file? For example if I insert the user check into the template's xhtml file it could be some security issue if I use this template in ALL my xhtml pages?

类似的东西:

<?xml version='1.0' encoding='UTF-8' ?> 
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
      xmlns:ui="http://java.sun.com/jsf/facelets"
      xmlns:h="http://java.sun.com/jsf/html">
    <h:head>
        <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
        <title><ui:insert name="title">Default Title</ui:insert></title>
        <h:outputStylesheet name="css/jsfcrud.css"/>
    </h:head>
    <h:body>
        <h:panelGroup rendered="#{userBean.cognome!=null}">
            Utente connesso:<h:outputText value="#{userBean.cognome}"/>&nbsp;<h:outputText value="#{userBean.nome}"/>
            <h1><ui:insert name="title">Default Title</ui:insert></h1>
            <p><ui:insert name="body">Default Body</ui:insert></p>
        </h:panelGroup>
    </h:body>
</html>

推荐答案

我了解您在显示内容之前正在检查登录用户的存在.这样 可以，但是任何未登录即可打开页面的用户都将收到空白内容.这不是非常用户友好.您要将未登录的用户重定向到登录页面.

I understand that you're checking the presence of the logged-in user before displaying the content. This may be okay this way, but any user who opens the page without being logged-in will receive blank content. This is not very user friendly. You'd like to redirect a non-logged-in user to the login page.

如果您使用的是Java EE提供的容器管理的身份验证，通常已经考虑了这一点.但是，如果您正在进行身份验证，则需要为此创建一个 servlet过滤器.如果您将所有受限制的页面收集在/app之类的公用文件夹中，以便可以将公用URL模式用于过滤器，例如/app/*(并将所有公共页面(例如登录页面 放在此文件夹之外))，则假定#{userBean}是会话作用域的JSF @ManagedBean或您自己放置在会话作用域中的某些会话属性:

This is normally already taken into account if you're using Java EE provided container managed authentication. But if you're homegrowing authentication, you'd need to create a servlet filter for this. If you collect all restricted pages in a common folder like /app so that you can use a common URL pattern for the filter, e.g. /app/* (and put all public pages such as the login page outside this folder), then you should be able to filter out non-logged-in users as follows, assuming that #{userBean} is a session scoped JSF @ManagedBean or some session attribute which you've put in session scope yourself:

@WebFilter("/app/*")
public class LoginFilter implements Filter {

    @Override
    public void init(FilterConfig config) throws ServletException {
        // NOOP.
    }

    @Override
    public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException {
        HttpServletRequest request = (HttpServletRequest) req;
        HttpServletResponse response = (HttpServletResponse) res;
        HttpSession session = request.getSession(false);
        UserBean user = (session != null) ? (UserBean) session.getAttribute("userBean") : null;

        if (user == null || user.getCognome() == null) {
            response.sendRedirect(request.getContextPath() + "/login.xhtml"); // No logged-in user found, so redirect to login page.
        } else {
            chain.doFilter(req, res); // Logged-in user found, so just continue request.
        }
    }

    @Override
    public void destroy() {
        // NOOP.
    }

}

另请参见:

• 如何在数据库?

See also:

• How to handle authentication/authorization with users in a database?

这篇关于在模板中插入一些支票有问题吗?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！