GET请求输入字段中的旧值 [英] Old values in input fields by GET request
问题描述
我在文件 loginform.xhtml 中得到了这个JSF表单:
I have got this JSF form in the file loginform.xhtml:
<h:form>
<h:panelGrid columns="3" styleClass="components" cellpadding="5px">
<h:outputText value="#{msg['login.username']}"/>
<h:inputText id="username" value="#{userManager.loginUser.username}" required="true"/>
<h:message styleClass="error" for="username"/>
<h:outputText value="#{msg['login.password']}"/>
<h:inputSecret id="password" value="#{userManager.loginUser.password}"
required="true"/>
<h:message styleClass="error" for="password"/>
<h:commandButton value="#{msg['login.confirm']}"
action="#{userManager.doLogin}"/>
</h:panelGrid>
</h:form>
使用此ManagedBean:
With this ManagedBean:
public class UserManager implements Serializable {
/**
* Creates a new instance of UserManager
*/
public UserManager() {
}
private UserRecord loginUser = new UserRecord();
private UserRecord sessionUser;
@EJB
private UserRecordFacadeLocal userRecordFacade;
public UserRecord getLoginUser() {
return loginUser;
}
public void setLoginUser(UserRecord loginUser) {
this.loginUser = loginUser;
}
public UserRecord getSessionUser() {
return sessionUser;
}
public void setSessionUser(UserRecord sessionUser) {
this.sessionUser = sessionUser;
}
public String doLogout() {
setSessionUser(null);
return "logout";
}
public String doLogin() {
if (userRecordFacade.authorizedAcces(loginUser.getUsername(), loginUser.getPassword())) {
setSessionUser(loginUser);
return "success";
}
return "failure";
}
}
这是我的问题:如果我在loginform.xhtml中键入GET请求(在我的情况下为http://localhost:8080/Impetus-web/loginform.xhtml
),则该表格将被旧值填充!甚至更正确的值-这对于系统的安全性确实很不利:-).如果我通过h:link标记导航到此页面,也会发生同样的情况.仅当我通过POST请求(通过commandButton f.e.)跳转到该页面时,它才可以正常工作.
Here is my question: if I type a GET request to loginform.xhtml (in my case: http://localhost:8080/Impetus-web/loginform.xhtml
), the form is filled by the old values! Even more correct values - this is really bad for the security of the system :-). The same happens, if I make the navigation to this page via h:link tag. It works fine only in the case, if I jump to the page via POST request (via commandButton f. e.).
怎么可能?
推荐答案
JSF不会这样做(作为证据,请查看生成的HTML输出).网络浏览器可以做到这一点.此功能称为自动填充"/自动完成".只需通过在各个输入组件中添加autocomplete="off"
来告诉它不要这样做.
JSF doesn't do that (as evidence, look in generated HTML output). The webbrowser does that. This feature is called "autofill"/"autocomplete". Just tell it to not do that by adding autocomplete="off"
to the individual input components.
<h:inputText ... autocomplete="off" />
<h:inputSecret ... autocomplete="off" />
或者如果您使用的是JSF 2.2(或者正在使用 OmniFaces Html5RenderKit
),您还可以在整个表单范围内进行设置.
Or if you're on JSF 2.2 (or are using OmniFaces Html5RenderKit
), you could also set it form-wide.
<h:form ... autocomplete="off">
这篇关于GET请求输入字段中的旧值的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!