保护JSF应用程序 [英] Securing JSF applications
问题描述
我的一个自由职业者朋友曾要求我加入他的JSF 2.0项目,而我正在慢慢提高速度,将各个部分放在一起.来自Windows Forms .NET世界,至少我要学很多东西.
I've been asked by a freelancer friend of mine to join him on a JSF 2.0 project, and I'm slowly picking up speed and putting the pieces together. Coming from a Windows Forms .NET world, I have a lot to learn to say the least.
我主要担心的是,在如何保护JSF应用程序方面缺乏明显的共识.
My major concern is with the lack of apparent consensus on how to protect a JSF application.
此处在SO上提出了一些方法,包括使用Spring安全性,Seam安全性,自定义阶段侦听器,或仅使用rendered="#{...}"属性基于用户身份验证显示/隐藏组件.
Some methods have been proposed here on SO, including using Spring security, Seam security, custom phase listeners, or simply using the rendered="#{...}" attribute to show/hide components based on user authentication.
我尝试实现其中的某些方法,例如Spring安全性,只是发现它很容易被转发到视图而不是重定向的JSF导航机制破坏.换句话说,如果用户直接输入受保护页面的URL,那么Spring安全性将很好地起作用,但是如果h:commandButton的操作将其带到那里,则不能如此.
I have tried to implement some of these methods, for example Spring security, only to find out that it gets easily defeated by the JSF navigation mechanism that forwards to views instead of redirecting. In other words, Spring security will work fine if the user types in the url of a secured page directly, but not if a h:commandButton's action takes him there.
鉴于此,有人建议使用"faces-redirect=true"强制重定向,但我们认为这可能会成为性能问题,因为这每次都会导致来自浏览器的2个请求.
In view of this, some have suggested to force a redirect by using "faces-redirect=true", but we feel that this could become a performance issue as this causes 2 requests from the browser each time.
另一方面,在遇到如此多的缺失依赖错误之后,我放弃了尝试实现Seam安全性的工作.
On the other hand, I gave up trying to implement Seam security after getting so many missing dependencies errors.
到目前为止,我发现的最佳解决方案是来自 Duncan Mills-有效页面授权的自定义阶段侦听器在JavaServer Faces中,但我不是100%相信应该在面向公众的JSF应用程序中使用.
The best solution I have found so far is a custom phase listener from Duncan Mills - Effective Page Authorization In JavaServer Faces, but I'm not 100% convinced this should be used on public facing JSF applications.
最后,这给我们留下了什么?我知道这是一个非常开放的问题,但是老实说,我不知道下一步要去哪里.我敢肯定我遵循了这封信的不同教程,例如Spring教程,但是我仍然对它的工作方式不满意.
So finally, what does this leave us with ? I know this is a pretty wide open ended question, but I honestly have no clue where to go next. I'm pretty sure I have followed the different tutorials to the letter, for example Spring tutorials, but I'm still not satisfied with the way it works.
正如我已经看到其他人的许多帖子都存在相同的问题一样,至少有人可以确认/确认Spring安全性应该跨JSF转发吗?那至少会给我一个前进的方向.
Could anyone at least confirm/infirm the fact that Spring security is supposed to work across JSF forwards, as I've seen many posts by others having the same issue ? That would at least give me a direction to keep going.
谢谢.
推荐答案
用于页面验证的servlet过滤器的组合(适用于face servlet),身份会话bean(存储用户属性,例如Role,login id)和一些用于权限检查(例如isAdmin(),canViewRecord(recordID))在整个页面中的使用情况都很好.
Combination of servlet filter for page validation (applied to the faces servlet), identity session bean (storing user attributes e.g. Role, login id) and a few methods for entitlement checks (e.g. isAdmin(), canViewRecord(recordID)) well ised throughout your page.
您看到,在安全性方面,我选择不将其交予他人.另外,我在几个地方进行了验证(隐藏一个组件不会使人们伪造正确的POST请求来触发特定的bean方法,因此要当心).
You see, when it comes to security I opt for not leaving it in anybody else's hand. also, I validate in several places (hiding a component won't keep folks from forging the right POST request to trigger specific bean methods so watch out).
这篇关于保护JSF应用程序的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
