使用的PhaseListener,而不是授权一个Servlet过滤器的局限性 [英] Limitations of using a PhaseListener instead of a Servlet Filter for authorization
问题描述
我目前使用的是的PhaseListener 下面来执行用户授权。
I'm currently using a PhaseListener as below to perform user authorization.
private PhaseId phaseId = PhaseId.RESTORE_VIEW;
@Override
public void afterPhase(PhaseEvent event) {
FacesContext fc = event.getFacesContext();
boolean isOnAllowedPage = false;
String[] allowedPages = choseRightPages(); // chose pages for role
for (String s : allowedPages) {
if (fc.getViewRoot().getViewId().lastIndexOf(s) > -1) {
isOnAllowedPage = true;
break;
}
}
if (!isOnAllowedPage) {
NavigationHandler nh = fc.getApplication().getNavigationHandler();
nh.handleNavigation(fc, null, "prohibited");
}
}
据我想要做什么,但是我没有看到它在<一个被列href=\"http://stackoverflow.com/questions/9965708/how-to-handle-authentication-authorization-with-users-in-a-database\">How办理认证/授权与用户数据库中的并的这coderanch话题名为还提到了下面的使用PhaseListener在授权问题:
It does what I want, however I don't see it being listed in How to handle authentication/authorization with users in a database? and this Coderanch topic titled "authorization with phaselistener problem" also mentions the following:
您不应该对夫妇的授权,紧缩与JSF。更好地利用容器管理的认证和/或作用于URL模式覆盖保护的页面的简单过滤器。
You shouldn't couple authorization that tight with JSF. Better make use of container managed authentication and/or a simple filter acting on an url-pattern covering the protected pages.
我不明白究竟使用的PhaseListener ,而不是过滤器表演时用户授权的限制。有人可以解释给我吗?
I don't exactly understand the limitations of using a PhaseListener instead of a Filter when performing user authorization. Can someone explain it to me?
推荐答案
A 的PhaseListener 仅在JSF请求发射(即它调用的<$ C HTTP请求$ C> FacesServlet的)。执行一个非JSF请求时,它不会触发,从而暴露了非JSF请求一个潜在的安全漏洞。一个servlet 过滤器可以在每一个HTTP请求的目标servlet的解雇,而不管。
A PhaseListener is only fired on a JSF request (i.e. a HTTP request which invoked the FacesServlet). It's not fired when a non-JSF request is executed and thus exposes a potential security leak on non-JSF requests. A servlet Filter can be fired on every single HTTP request, regardless of the target servlet.
在换句话说:HTTP请求授权,不应该连接到具有的FacesContext 可用,但对的ServletRequest 可用。应尽量将授权低级别成为可能。
In other words: HTTP request authorization should not be tied to having the FacesContext available, but to the ServletRequest available. Always try to authorize as "low level" as possible.
这篇关于使用的PhaseListener,而不是授权一个Servlet过滤器的局限性的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
