在模板中插入一些支票有问题吗? [英] Are there some issue at inserting some check into template?
问题描述
如果我在模板文件中插入一些检查,是否存在一些问题?例如,如果我将用户检查插入模板的xhtml文件中,那么如果我在所有xhtml页面中都使用此模板,可能会遇到一些安全问题?
Are there some issues if I insert some check into the template file? For example if I insert the user check into the template's xhtml file it could be some security issue if I use this template in ALL my xhtml pages?
类似的东西:
<?xml version='1.0' encoding='UTF-8' ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
xmlns:ui="http://java.sun.com/jsf/facelets"
xmlns:h="http://java.sun.com/jsf/html">
<h:head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<title><ui:insert name="title">Default Title</ui:insert></title>
<h:outputStylesheet name="css/jsfcrud.css"/>
</h:head>
<h:body>
<h:panelGroup rendered="#{userBean.cognome!=null}">
Utente connesso:<h:outputText value="#{userBean.cognome}"/> <h:outputText value="#{userBean.nome}"/>
<h1><ui:insert name="title">Default Title</ui:insert></h1>
<p><ui:insert name="body">Default Body</ui:insert></p>
</h:panelGroup>
</h:body>
</html>
推荐答案
我了解您在显示内容之前正在检查登录用户的存在.这样 可以,但是任何未登录即可打开页面的用户都将收到空白内容.这不是非常用户友好.您要将未登录的用户重定向到登录页面.
I understand that you're checking the presence of the logged-in user before displaying the content. This may be okay this way, but any user who opens the page without being logged-in will receive blank content. This is not very user friendly. You'd like to redirect a non-logged-in user to the login page.
如果您使用的是Java EE提供的容器管理的身份验证,通常已经考虑了这一点.但是,如果您正在进行身份验证,则需要为此创建一个 servlet过滤器.如果您将所有受限制的页面收集在/app
之类的公用文件夹中,以便可以将公用URL模式用于过滤器,例如/app/*
(并将所有公共页面(例如登录页面 放在此文件夹之外)),则假定#{userBean}
是会话作用域的JSF @ManagedBean
或您自己放置在会话作用域中的某些会话属性:
This is normally already taken into account if you're using Java EE provided container managed authentication. But if you're homegrowing authentication, you'd need to create a servlet filter for this. If you collect all restricted pages in a common folder like /app
so that you can use a common URL pattern for the filter, e.g. /app/*
(and put all public pages such as the login page outside this folder), then you should be able to filter out non-logged-in users as follows, assuming that #{userBean}
is a session scoped JSF @ManagedBean
or some session attribute which you've put in session scope yourself:
@WebFilter("/app/*")
public class LoginFilter implements Filter {
@Override
public void init(FilterConfig config) throws ServletException {
// NOOP.
}
@Override
public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException {
HttpServletRequest request = (HttpServletRequest) req;
HttpServletResponse response = (HttpServletResponse) res;
HttpSession session = request.getSession(false);
UserBean user = (session != null) ? (UserBean) session.getAttribute("userBean") : null;
if (user == null || user.getCognome() == null) {
response.sendRedirect(request.getContextPath() + "/login.xhtml"); // No logged-in user found, so redirect to login page.
} else {
chain.doFilter(req, res); // Logged-in user found, so just continue request.
}
}
@Override
public void destroy() {
// NOOP.
}
}
另请参见:
- 如何在数据库?
- How to handle authentication/authorization with users in a database?
See also:
这篇关于在模板中插入一些支票有问题吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!