GET请求输入字段中的旧值 [英] Old values in input fields by GET request

问题描述

我在文件 loginform.xhtml 中得到了这个JSF表单:

I have got this JSF form in the file loginform.xhtml:

  <h:form>

        <h:panelGrid columns="3" styleClass="components" cellpadding="5px">
            <h:outputText value="#{msg['login.username']}"/>
            <h:inputText id="username" value="#{userManager.loginUser.username}" required="true"/>
            <h:message styleClass="error" for="username"/>
            <h:outputText value="#{msg['login.password']}"/>
            <h:inputSecret id="password" value="#{userManager.loginUser.password}" 
                           required="true"/>
            <h:message styleClass="error" for="password"/>
            <h:commandButton value="#{msg['login.confirm']}" 
                             action="#{userManager.doLogin}"/>

        </h:panelGrid>
    </h:form>

使用此ManagedBean:

With this ManagedBean:

public class UserManager implements Serializable {

/**
 * Creates a new instance of UserManager
 */
public UserManager() {
}

private UserRecord loginUser = new UserRecord(); 
private UserRecord sessionUser;
@EJB
private UserRecordFacadeLocal userRecordFacade;

public UserRecord getLoginUser() {
    return loginUser;
}

public void setLoginUser(UserRecord loginUser) {
    this.loginUser = loginUser;
}

public UserRecord getSessionUser() {
    return sessionUser;
}

public void setSessionUser(UserRecord sessionUser) {
    this.sessionUser = sessionUser;
}



public String doLogout() {
    setSessionUser(null);
    return "logout";
}

public String doLogin() {
    if (userRecordFacade.authorizedAcces(loginUser.getUsername(), loginUser.getPassword())) {
        setSessionUser(loginUser);
        return "success";
    }
    return "failure";
}

}

这是我的问题:如果我在loginform.xhtml中键入GET请求(在我的情况下为http://localhost:8080/Impetus-web/loginform.xhtml)，则该表格将被旧值填充！甚至更正确的值-这对于系统的安全性确实很不利:-).如果我通过h:link标记导航到此页面，也会发生同样的情况.仅当我通过POST请求(通过commandButton f.e.)跳转到该页面时，它才可以正常工作.

Here is my question: if I type a GET request to loginform.xhtml (in my case: http://localhost:8080/Impetus-web/loginform.xhtml), the form is filled by the old values! Even more correct values - this is really bad for the security of the system :-). The same happens, if I make the navigation to this page via h:link tag. It works fine only in the case, if I jump to the page via POST request (via commandButton f. e.).

怎么可能?

推荐答案

JSF不会这样做(作为证据，请查看生成的HTML输出).网络浏览器可以做到这一点.此功能称为自动填充"/自动完成".只需通过在各个输入组件中添加autocomplete="off"来告诉它不要这样做.

JSF doesn't do that (as evidence, look in generated HTML output). The webbrowser does that. This feature is called "autofill"/"autocomplete". Just tell it to not do that by adding autocomplete="off" to the individual input components.

<h:inputText ... autocomplete="off" />
<h:inputSecret ... autocomplete="off" />

或者如果您使用的是JSF 2.2(或者正在使用 OmniFaces Html5RenderKit )，您还可以在整个表单范围内进行设置.

Or if you're on JSF 2.2 (or are using OmniFaces Html5RenderKit), you could also set it form-wide.

<h:form ... autocomplete="off">

这篇关于GET请求输入字段中的旧值的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！