如何控制 JSF 中的访问和权限? [英] How control access and rights in JSF?

问题描述

我想在用户登录我的系统后控制访问.

I would like to control the access after the user log in my system.

例如:

administrator : can add, delete and give rights to employee
employee : fill forms only
...

所以在知道用户拥有哪个权限后，检查数据库，我想限制这个用户可以看到和做的事情.有一种简单的方法可以做到这一点吗?

So after knowing which right the user has, checking in database, I would like to restrict what this user can see and do. There's a simple way to do that ?

编辑

@WebFilter("/integra/user/*")
public class LoginFilter implements Filter {

    @Override
    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws ServletException, IOException {    
        HttpServletRequest req = (HttpServletRequest) request;
        Authorization authorization = (Authorization) req.getSession().getAttribute("authorization");

        if (authorization != null && authorization.isLoggedIn()) {
            // User is logged in, so just continue request.
            chain.doFilter(request, response);
        } else {
            // User is not logged in, so redirect to index.
            HttpServletResponse res = (HttpServletResponse) response;
            res.sendRedirect(req.getContextPath() + "/integra/login.xhtml");
        }
    }

    // You need to override init() and destroy() as well, but they can be kept empty.


    @Override
    public void init(FilterConfig filterConfig) throws ServletException {

    }

    @Override
    public void destroy() {
    }
}

推荐答案

嗯，这是一个相当广泛的主题.当您开始使用自制身份验证时，我将针对自制授权提供答案.

Well, this is a pretty broad subject. As you're starting off with homebrewed authentication, I'll target the answer on homebrewed authorization.

如果模型设计合理，Java/JSF 中的角色检查本身就相对简单.假设一个用户可以有多个角色(在现实世界的应用程序中经常是这种情况)，您最终希望得到如下结果:

Role checking in Java/JSF is at its own relatively simple if the model is sensibly designed. Assuming that a single user can have multiple roles (as is often the case in real world applications), you'd ultimately like to end up having something like:

public class User {

    private List<Role> roles;

    // ...

    public boolean hasRole(Role role) {
        return roles.contains(role);
    }

}

public enum Role {

    EMPLOYEE, MANAGER, ADMIN;

}

以便您可以在 JSF 视图中按如下方式检查它:

so that you can check it as follows in your JSF views:

<h:selectManyCheckbox value="#{user.roles}" disabled="#{not user.hasRole('ADMIN')}">
    <f:selectItems value="#{Role}" />
</h:selectManyCheckbox>

<h:commandButton value="Delete" rendered="#{user.hasRole('ADMIN')}" />

并在您的过滤器中:

String path = req.getRequestURI().substring(req.getContextPath().length());

if (path.startsWith("/integra/user/admin/") && !user.hasRole(Role.ADMIN)) {
    res.sendError(HttpServletResponse.SC_UNAUTHORIZED);
}

<小时>

最难的部分是将这个 Java 模型转换为一个健全的 DB 模型.根据具体的业务需求，有几种不同的方式，每种方式都有自己的(缺点)优势.或者，您可能已经有一个 DB 模型，您的 Java 模型必须以此为基础(因此，您需要自下而上地设计)?

---

The hardest part is translating this Java model to a sane DB model. There are several different ways depending on the concrete business requirements, each with its own (dis)advantages. Or perhaps you already have a DB model on which you have to base your Java model (thus, you need to design bottom-up)?

无论如何，假设您使用的是 JPA 2.0(您的问题历史至少证实了这一点)并且您可以自上而下设计，最简单的方法之一是映射 roles 属性作为 @ElementCollection针对 user_roles 表.由于我们使用的是 Role 枚举，因此不需要第二个 role 表.同样，这取决于具体的功能和业务需求.

Anyway, assuming that you're using JPA 2.0 (your question history at least confirms this) and that you can design top-down, one of the easiest ways would be to map the roles property as an @ElementCollection against an user_roles table. As we're using a Role enum, a second role table isn't necessary. Again, that depends on the concrete functional and business requirements.

在一般的 SQL 术语中，user_roles 表可能如下所示:

In generic SQL terms, the user_roles table can look like this:

CREATE TABLE user_roles (
    user_id BIGINT REFERENCES user(id),
    role VARCHAR(16) NOT NULL,
    PRIMARY KEY(user_id, role)
)

然后映射如下:

@ElementCollection(targetClass=Role.class, fetch=FetchType.EAGER)
@Enumerated(EnumType.STRING)
@CollectionTable(name="user_roles", joinColumns={@JoinColumn(name="user_id")})
@Column(name="role")
private List<Role> roles;

这基本上就是您需要在 User 实体中更改的全部内容.

That's basically all you'd need to change in your User entity.

在自制的身份验证(登录/注销)和授权(角色检查)旁边，还提供了 Java EE 容器管理的身份验证，您可以通过j_security_check 或HttpServletRequest#login() 登录，在web.xml<中通过过滤HTTP请求/code>, 检查登录的-在用户中通过 #{request.remoteUser} 和 它的角色 #{request.isUserInRole('ADMIN')} 等

Next to homebrewed authentication (login/logout) and authorization (role checking), there is also Java EE provided container managed authentication with which you can login by j_security_check or HttpServletRequest#login(), filter HTTP requests by <security-constraint> in web.xml, check the logged-in user by #{request.remoteUser} and its roles by #{request.isUserInRole('ADMIN')}, etc.

然后有几个 3rd 方框架，例如 PicketLink、Spring 安全，Apache Shiro，等等.但这完全是不可能的:)

Then there are several 3rd party frameworks such as PicketLink, Spring Security, Apache Shiro, etc. But this is all out of the question :)

这篇关于如何控制 JSF 中的访问和权限?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！