JSF中的基本安全性 [英] Basic Security in JSF
问题描述
我希望看到一个简单的登录应用程序,但是不像此那样简单
I would like to see a simple Login Application, not as simple as this though.
我想了解的是JSF的工作原理,我已经开发了很多ASP.NET,您可以在其中找到代码,也可以在其中检查是否在登录时创建了会话.
What I would like to achieve is an understanding on how JSF works, I've developed a lot of ASP.NET where you have the code behind and where you can just check if a session was created upon Login.
在JSF中类似的解决方案将是很好的.
A similar solution in JSF would be great.
这基本上是我想要实现的:
This is basically what I want to achieve:
- 登录页面
- 如果确定
- 创建会话并返回成功"
- Login page
- IF OK
- Create session and return "success"
- 返回失败"
(成功"和失败被映射到faces-config.xml)
(The "success" and failure are mapped to faces-config.xml)
在成功页面上,我想确定该用户已登录,因此如果您没有正确的会话,则应该不能导航到"success.jspx".
At the success-page I want to be Certain that the user is logged in, so one should Not be able to navigate to "success.jspx" if you have not got the correct session.
推荐答案
除了能够使用面向基于角色的安全性的组件
rendered属性之类的东西外,核心JSF中没有固有的身份验证功能.There is no inherent authentication functionality in core JSF beyond being able to use things like component
renderedattributes geared towards role-based security.默认情况下,JSF应用程序与包含它的Web组件依赖相同的容器管理的安全机制( Seam 之类的第三方框架可以提供替代方案
By default, a JSF application relies on the same container-managed security mechanisms as the web component that contains it (JEE5 tutorial). 3rd party frameworks like Seam can provide alternatives.
如果要添加自己的应用程序安全性,请 servlet过滤器是较简单的机制之一.
If you want to add your own application security, a servlet filter is one of the simpler mechanisms.
此过滤器保护
web.xml中定义的restricted目录下的资源:This filter protects resources under the
restricteddirectory as defined inweb.xml:<filter> <filter-name>AuthenticationFilter</filter-name> <filter-class>restricted.AuthenticationFilter</filter-class> </filter> <filter-mapping> <filter-name>AuthenticationFilter</filter-name> <url-pattern>/restricted/*</url-pattern> </filter-mapping>过滤器类的实现:
public class AuthenticationFilter implements Filter { private FilterConfig config; public void doFilter(ServletRequest req, ServletResponse resp, FilterChain chain) throws IOException, ServletException { if (((HttpServletRequest) req).getSession().getAttribute( AuthenticationBean.AUTH_KEY) == null) { ((HttpServletResponse) resp).sendRedirect("../restricted_login.faces"); } else { chain.doFilter(req, resp); } } public void init(FilterConfig config) throws ServletException { this.config = config; } public void destroy() { config = null; } }在
faces-config.xml中定义的登录bean:A login bean defined in
faces-config.xml:public class AuthenticationBean { public static final String AUTH_KEY = "app.user.name"; private String name; public String getName() { return name; } public void setName(String name) { this.name = name; } public boolean isLoggedIn() { return FacesContext.getCurrentInstance().getExternalContext() .getSessionMap().get(AUTH_KEY) != null; } public String login() { FacesContext.getCurrentInstance().getExternalContext().getSessionMap().put( AUTH_KEY, name); return "secret"; } public String logout() { FacesContext.getCurrentInstance().getExternalContext().getSessionMap() .remove(AUTH_KEY); return null; } }restricted_login.jsp页面中的JSF登录表单:The JSF login form in the
restricted_login.jsppage:<f:view> <p><a href="restricted/secret.faces">try to go to secret page</a></p> <h:form> Username: <h:panelGroup rendered="#{not authenticationBean.loggedIn}"> <h:inputText value="#{authenticationBean.name}" /> <h:commandButton value="login" action="#{authenticationBean.login}" /> </h:panelGroup> <h:commandButton value="logout" action="#{authenticationBean.logout}" rendered="#{authenticationBean.loggedIn}" /> </h:form> </f:view>(为简洁起见,而不是任何最佳做法,选择了重定向URL/机制;请参见
(The redirect URL/mechanism was chosen for brevity rather than any sort of best practice; see the Servlet API for more options.)
这篇关于JSF中的基本安全性的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
