JSF-春季安全集成问题 [英] JSF - Spring Security Integration issue
问题描述
Servlet 2.4+ API允许我们使用<filter-mapping>标记内的<dispatcher>标记以及FORWARD之类的值来拦截内部转发到其他资源的请求.对于一个servlet转发到另一个servlet而言,spring安全约束可以正常工作.
The Servlet 2.4+ API allows us to use the <dispatcher> tag within the <filter-mapping> tag with values like FORWARD to intercept requests being internally forwarded to other resources. For one servlet forwarding to another, the spring security constraints work fine.
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>FORWARD</dispatcher>
<dispatcher>REQUEST</dispatcher>
</filter-mapping>
问题: 安全过滤器似乎没有通过 JSF Actions
Problem: The security filter does NOT seem to intercept the internal forwards with JSF Actions
JSF似乎在使用JSF操作(导航用例)时将请求转发"到目标视图(页面).这导致该URL比该页面的实际URL落后一步.
JSF seems to 'forward' the request to the target view (page) while using JSF actions (navigation case). This causes the URL to be one step behind the actual URL of the page.
这样做的副作用是,弹簧安全性约束(与URL绑定)直到下一个动作才生效.
A side effect of this is that the spring security constraint (which is tied to the URL) does not take effect until the next action.
示例: 当前页面网址: http://host/myapp/page1.xhtml (page1.xhtml具有可导航到受保护的page2的操作)
Example: Current page URL: http://host/myapp/page1.xhtml (page1.xhtml has an action that navigates to page2 which is protected)
提交后,请求将提交到呈现page2.xhtml的服务器,但URL仍保留为 http://host/myapp/page1.xhtml . Spring Security不会拦截和保护page2.xhtml
On submit, the request is submitted to the server which renders page2.xhtml but the URL still remains as http://host/myapp/page1.xhtml. Spring Security does not intercept and protect page2.xhtml
这可以通过指定以下内容来克服:
This can be overcome by specifying the following:
<navigation-case>
<from-outcome>page2</from-outcome>
<to-view-id>/page2.xhtml</to-view-id>
<redirect/> <!--REDIRECT, INSTEAD OF FORWARD-->
</navigation-case>
重定向不是我们要实现这一目标的方法.是否有更好的方法让Spring Security与JSF一起使用?
(spring config xml的相关片段)
(relevent snippet of the spring config xml)
<http use-expressions="true" once-per-request="false">
<intercept-url pattern="/index.xhtml" access="permitAll" />
<intercept-url pattern="/page1.xhtml" access="isAuthenticated()" />
<intercept-url pattern="/page2.xhtml" access="hasRole('supervisor')" />
<intercept-url pattern="/page3.xhtml" access="hasRole('teller')" />
<form-login login-page="/login.html" default-target-url="/page1.xhtml"/>
</http>
<authentication-manager>
<authentication-provider>
<user-service>
<user name="rod" password="rod" authorities="supervisor, user" />
<user name="dianne" password="dianne" authorities="teller, user" />
<user name="scott" password="scott" authorities="supervisor" />
<user name="peter" password="peter" authorities="user" />
</user-service>
</authentication-provider>
</authentication-manager>
推荐答案
来自马的嘴巴(Oracle文档)
From the horse's mouth (oracle documentation)
如果导航用例不使用redirect元素,则新页面将作为对当前请求的响应呈现,这意味着浏览器地址字段中的URL不会更改,并且该URL将包含上一页的地址.
If a navigation case does not use the redirect element, the new page is rendered as a response to the current request, which means that the URL in the browser's address field does not change and that it will contain the address of the previous page.
这似乎意味着在JSF生命周期中没有前进"发生到下一页...因此Spring Security将永远无法解决这个问题.
What this seems to translate to is that there is no 'forward' happening to the next page during the JSF lifecycle... and so Spring Security will never get a handle to this.
这篇关于JSF-春季安全集成问题的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
