Primefaces 登录应用程序 [英] Primefaces Login Application

问题描述

可能的重复:
JSF HTTP 会话登录

我正在使用 Primefaces 来实现我的 Web 应用程序.在我的实现中，用户可以登录系统，然后他们可以通过复制该 URL 再次加载重定向的页面，而无需再次登录.我怎样才能防止这种情况?

I am using Primefaces to implement my web application. In my implementation the user can log in to the system, then they can load the redirected pages again by copying that URL without login again. How can I prevent this?

这是我的登录逻辑:

public String doLogin() {
    if(username != null  &&
        username.equals("admin") &&
        password != null  &&
        password.equals("admin")) {
        msg = "table?faces-redirect=true";
    } else
        if(user_name.contains(username) &&
            pass_word.contains(password) &&
            !user_name.contains("admin")) {
            msg = "table1?faces-redirect=true";
        }
    }
    return msg;
}

推荐答案

如果用户会话没有过期，那么这是 Web 应用程序的正常行为.如果会话已过期，那么您必须确保有一个登录的用户并且该用户有权访问他/她在 URL 中使用的页面.您可以使用过滤器来实现这一点.

If the user session hasn't expired, then this is normal behavior for web applications. If the session has expired, then you must make sure there is a logged user and that is has the privileges to access to the page he/she's using in the URL. You can achieve this using a Filter.

我假设您的 Web 应用程序位于 Java EE 6 容器(如 Tomcat 7 或 GlassFish 3.x)上:

I'm assuming your web app is on a Java EE 6 container like Tomcat 7 or GlassFish 3.x:

@WebFilter(filterName = "MyFilter", urlPatterns = {"/*.xhtml"})
public class MyFilter implements Filter {

    public void doFilter(
        ServletRequest request, ServletResponse response, FilterChain chain)
        throws IOException, ServletException {

        //get the request page
        String requestPath = httpServletRequest.getRequestURI();
        if (!requestPath.contains("home.xhtml")) {
            boolean validate = false;
            //getting the session object
            HttpServletRequest httpServletRequest = (HttpServletRequest) request;
            HttpSession session = (HttpSession)httpServletRequest.getSession();
            //check if there is a user logged in your session
            //I'm assuming you save the user object in the session (not the managed bean).
            User user = (User)session.get("LoggedUser");
            if (user != null) {
                //check if the user has rights to access the current page
                //you can omit this part if you only need to check if there is a valid user logged in
                ControlAccess controlAccess = new ControlAccess();
                if (controlAccess.checkUserRights(user, requestPath)) {
                    validate = true;
                    //you can add more logic here, like log the access or similar
                }
            }
            if (!validate) {
                HttpServletResponse httpServletResponse = (HttpServletResponse) response;
                httpServletResponse.sendRedirect(
                    httpServletRequest.getContextPath() + "/home.xhtml");
            }
        }
        chain.doFilter(request, response);
    }
}

您的 ControlAccess 类的一些实现:

Some implementation for your ControlAccess class:

public class ControlAccess {

    public ControlAccess() {
    }

    public boolean checkUserRights(User user, String path) {
        UserService userService = new UserService();
        //assuming there is a method to get the right access for the logged users.
        List<String> urlAccess = userService.getURLAccess(user);
        for(String url : urlAccess) {
            if (path.contains(url)) {
                return true;
            }
        }
        return false;
    }
}

<小时>

在寻找解释这一点的好方法时，我从 BalusC(JSF 专家)那里找到了更好的答案.这是基于 JSF 2:

---

While looking for a nice way to explain this, I found a better answer from BalusC (JSF expert). This is JSF 2 based:

• JSF HTTP 会话登录

这篇关于Primefaces 登录应用程序的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！