自定义注解 JSF [英] Custom Annotation JSF
问题描述
我想制作一个自定义注释来检查我的 JSF Web 应用程序的某些功能的安全性.为了安全,我将 Tomcat 安全与 JaaS 结合使用,因此我没有可以使用的应用程序管理的安全.
I wanted to make a custom annotation to check security on some functions for my JSF web application. For security I use Tomcat security with JaaS, so I have no application managed security to my disposal.
实际上想要做的是在像 Spring Security (@Secured("role")) 这样的 Backing Beans 中为我的方法做一个注释.我的安全系统已实现,因此每个功能都是一个角色,您可以动态创建用户角色",这些角色存储在数据库中,当有人登录时,该用户角色"中的所有(功能)角色将在 tomcat security 中设置作为角色.
What actually want to do is make an annotation for my methods in the Backing Beans like Spring Security (@Secured("role")). My security system is implemented so that every function is a role and you can dynamically make "user roles" these are stored in the DB and when somebody logs in all the (function)roles in that "user role" will be set in tomcat security as roles.
所以现在我有这段代码来检查我的用户是否可以访问该功能:
So now I have this piece of code to check if my user can access the function:
public static void checkSecurity(final String function) {
final FacesContext facesContext = FacesContext.getCurrentInstance();
try {
if (facesContext.getExternalContext().getRemoteUser() == null) {
facesContext.getExternalContext().redirect("login.xhtml");
return;
}
if (!facesContext.getExternalContext().isUserInRole(function)) {
facesContext.getExternalContext().redirect("restricted.xhtml");
return;
}
} catch (final Exception ex /* Mandatory "IOException e" will be caught + all other exceptions. */) {
facesContext.getExternalContext().setResponseStatus(403); // HTTP Status 403: Forbidden. Can also throw 401.
facesContext.responseComplete();
}
}
现在我必须调用这个 SecurityUtil.checkSecurity("name_of_function");在每种方法中.但我想要一个像@CustomSecurity("function_name_role")这样的注释.
Now I have to call this SecurityUtil.checkSecurity("name_of_function"); in every method. But I want to have an annotation like this @CustomSecurity("function_name_role").
@Target(ElementType.METHOD)
@Retention(RetentionPolicy.RUNTIME)
public @interface CustomSecurity {
// Single Element called value.
String value();
}
当一个方法有这个注解时,checkSecurity 函数必须自动执行.所以我必须在某个时候扫描这个注释,或者制作某种动作监听器.JSF 应该对此有一些选择,但我在这方面找到的所有论坛都没有真正的帮助.
And when a method has this annotation the checkSecurity function automatically has to be performed. So I have to scan for this annotation at a point, or make some kind of actionlistener. JSF should have some options for this but all the forums I found on this don't really help.
有人有什么想法吗?
我试过这个博客有效,但仅适用于组件的操作(当您没有角色时,组件不会呈现).那么当人们试图侵入 JSF 结构时,这有多安全.我宁愿让它在每种方法上运行.
I tried this blog it works but only on an action of a component (and components don't render when you don't have the role). So how secure is this when people try to hack into the JSF structure. And I rather have it running on every method.
public class SecurityActionListener extends ActionListenerImpl implements ActionListener {
private static final Logger LOGGER = FacesLogger.APPLICATION.getLogger();
@SuppressWarnings("unused")
@Override
public void processAction(final ActionEvent event) {
final FacesContext context = FacesContext.getCurrentInstance();
final Application application = context.getApplication();
final ConfigurableNavigationHandler navHandler = (ConfigurableNavigationHandler) application.getNavigationHandler();
// Action stuff
final UIComponent source = event.getComponent();
final ActionSource actionSource = (ActionSource) source;
MethodBinding binding;
binding = actionSource.getAction();
final String expr = binding.getExpressionString();
if (!expr.startsWith("#")) {
super.processAction(event);
return;
}
final int idx = expr.indexOf('.');
final String target = expr.substring(0, idx).substring(2);
final String t = expr.substring(idx + 1);
final String method = t.substring(0, (t.length() - 1));
final MethodExpression expression = new MethodExpressionMethodBindingAdapter(binding);
final ELContext elContext = context.getELContext();
final ExpressionFactory factory = context.getApplication().getExpressionFactory();
final ValueExpression ve = factory.createValueExpression(elContext, "#{" + target + '}', Object.class);
final Object result = ve.getValue(elContext);
// Check if the target method is a secured method
// and check security accordingly
final Method[] methods = result.getClass().getMethods();
for (final Method meth : methods) {
if (meth.getName().equals(method)) {
if (meth.isAnnotationPresent(CustomSecurity.class)) {
final CustomSecurity securityAnnotation = meth.getAnnotation(CustomSecurity.class);
System.out.println("Function to check security on: " + securityAnnotation.value()); // TODO TO LOG
SecurityUtil.checkSecurity(securityAnnotation.value());
} else {
super.processAction(event);
}
break;
}
}
}
}
在 faces-config.xml 中:<代码><动作监听器>com.nielsr.randompackagebecauseofnda.SecurityActionListener</动作监听器>
And this in the faces-config.xml:
<action-listener>
com.nielsr.randompackagebecauseofnda.SecurityActionListener
</action-listener>
这个博客也可以是一个答案,但我不知道它是如何将与我的 JaaS Tomcat 安全性一起使用,因为安全性位于作为独立 JAR 部署在 tomcat lib 文件夹中的单独项目中.
This blog could also be an answer, but I don't know how it will work with my JaaS Tomcat security because the security is in a separate project deployed as a standalone JAR in the tomcat lib folder.
但实际上我不知道我必须保护我的 Bean.因为我已将 Web.xml 中 1 页上的所有功能(又名角色,见上文)配置为安全约束.并且仅当您拥有该组件的权限或function_role"时,我才会在页面上呈现组件.那么这是否足够安全?或者,如果有人有权使用页面上的某个功能,他是否可以自己渲染组件并入侵我的网站?
But I actually don't know that I have to secure my Beans. Because I have configured all the functions (aka roles see above) that are on 1 page in the Web.xml as security constraints. And I render the components on the page only if you have to rights or "function_role" on that component. So is this secured enough? Or if somebody has a right to a function on a page can he render the components himself and so hack my site?
我对 JSF 不太熟悉,不知道在控制器和视图之间的额外 JSF 抽象层中发生了什么?(我更像是一名 Spring MVC 开发人员,但由于要求我必须使用 JSF,但很高兴拓宽我的知识面.)
I'm not that familiar to JSF to know this, what is going on in that extra JSF abstraction layer between Controller and View? (I'm more of a Spring MVC developer, but because of requirements I have to use JSF but it's nice to broaden my knowledge.)
推荐答案
您可以使用
http://code.google.com/p/reflections/
问候
这篇关于自定义注解 JSF的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
