在JSF登录期间何时创建会话? [英] When is session created during JSF login?

问题描述

在JSF中，似乎在成功登录之前创建了会话.即仅请求登录页面即可创建一个新会话.

In JSF, it seems that sessions are created before a successful login. i.e. simply requesting the login page causes a new session to be created.

为接收到的每个请求而不是每个成功登录的用户创建会话似乎非常浪费(并且容易受到DDoS攻击).

It seems very wasteful (and vulnerable to DDoS attacks) to create a session for each request received, rather than each successfully logged in user.

下面的代码非常通用，但是显示了我所指的简单场景.

The code below is pretty generic, but shows the kind of simple scenario I'm referring to.

index.xhtml:

index.xhtml:

<html>
    <body>
        <h:form id="login">
            <h:outputLabel for="username">Username</h:outputLabel>
            <p:inputText id="username" name="username" value="#{userController.username}"/>
            <h:outputLabel for="password">Password</h:outputLabel>
            <p:password id="password" name="password" value="#{userController.password}"/>

            <p:commandButton id="loginButton" value="login" action="#{loginController.login}"/>
        </h:form>
    </body>
</html>

LoginController.java

LoginController.java

@ViewScoped
public class LoginController implements Serializable {

    String username;
    String password;

    public void login(){
        HttpServletRequest request = (HttpServletRequest) FacesContext.getCurrentInstance().getExternalContext().getRequest();
        if (request.getSession(false) == null){
            System.out.println("No session.");
        } else {
            System.out.println("Session already exists.");
        }

        try {
            request.login(username, password);
        } catch (ServletException e) {
            FacesContext.getCurrentInstance.addMessage(null, new FacesMessage("Login failure", e.getMessage()));
        }
    }

    // username and password getters/setters

}

修正了尚贝利代码示例

推荐答案

首先，您的测试方法完全错误.

First of all, your testing methodology is completely wrong.

if (request.getSession() == null){
    System.out.println("No session.");
} else {
    System.out.println("Session already exists.");
}

请仔细阅读无参数getSession()方法的javadoc .您会意识到，它从不返回null.

Please carefully read the javadoc of the argumentless getSession() method. You'll realize that it never returns null.

回到具体问题，默认情况下，JSF实际上将自动创建会话，因为必须将JSF视图状态存储在该位置.如果将JSF状态保存方法设置为client而不是server，则它将不会存储在会话中，因此不需要创建会话.

Coming back to the concrete problem, by default JSF will indeed autocreate the session because the JSF view state has to be stored over there. If you set the JSF state saving method to client instead of server, then it won't be stored in session and hence no session needs to be created.

<context-param>
    <param-name>javax.faces.STATE_SAVING_METHOD</param-name>
    <param-value>client</param-value>
</context-param>

在即将到来的JSF 2.2中，您也可以将Bean放入请求范围，并使用<f:view transient="true">使其完全变为无状态.这是针对当前的JSF 2.1版本，仅从Mojarra 2.1.19开始可用.另请参见此博客来自Mojarra开发人员之一.

In the upcoming JSF 2.2 you could alternatively also put the bean in the request scope and use <f:view transient="true"> to go completely stateless. This is for the current JSF 2.1 version only available since Mojarra 2.1.19. See also e.g. this blog from one of Mojarra developers.

这篇关于在JSF登录期间何时创建会话?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！