在我的过滤器之前，JSF表单登录页面重定向命中 [英] JSF form-login-page redirect hits before my filter

问题描述

我试图在我的java ee 6应用程序中实现一个记住我"功能，但是在将其与内置安全性功能结合使用时遇到了问题.我的web.xml中具有以下配置:

I'm trying to implement a remember-me function in my java ee 6 application, but I have issues combining it with the build-in security feature. I have the following configuration in my web.xml:

<login-config>
    <auth-method>FORM</auth-method>
    <realm-name>my-realm</realm-name>
    <form-login-config>
        <form-login-page>/login.jsf</form-login-page>
        <form-error-page>/login.jsf</form-error-page>
    </form-login-config>
</login-config>

我要创建的过滤器会自动将某人登录到其会话中，如果他们的Cookie包含某些数据，则该过滤器已过期.这可以工作，但是在调用过滤器时，重定向到login.jsf的方法已经生效，而我对此不作任何更改.我假设过滤器实际上是在安全页面上调用的，所以它们是在java ee自己的安全系统之前调用的，但是事实并非如此.有什么方法可以让用户进入他们请求的页面，而不是重定向到login.jsf?

What I'm trying to create is a filter that automatically logs a person in of their session is expired, if they have a cookie containing some data. This works, but when the filter is called, the redirect to login.jsf has already come into effect, before I have a change to do anything about it. I assumed that filters are called before java ee's own security system since they actually are called on secured pages, but this seems to not be the case. Is there some way to let the user come to the same page that they requested instead of being redirected to login.jsf?

过滤器:

@WebFilter(
    filterName="authFilter",
    servletNames={
        "Faces Servlet"
    }
)
public class AuthFilter implements Filter {

    public AuthFilter() {
    }

    @Override
    public void doFilter(ServletRequest request, ServletResponse response,
            FilterChain chain) throws IOException, ServletException {
        HttpServletRequest req = (HttpServletRequest) request;
        HttpServletResponse res = (HttpServletResponse) response;
        User user = (User)req.getSession().getAttribute("user");
        if(user == null){
            String uuid = CookieUtil.getCookieValue(req, "rememberme");
            if(uuid != null){
                UserBean userBean = EJBUtil.lookup(UserBean.class);
                RememberMe rememberme = userBean.findRememberMe(uuid);
                if(rememberme != null){
                    user = rememberme.getUser();
                    try{
                        req.login(user.getEmail(), user.getPasswordDigest());
                        req.getSession().setAttribute("user", user);
                        CookieUtil.addCookie(res, "rememberme", uuid, CookieUtil.AGE_ONE_YEAR);
                    }catch(ServletException e){}
                }
                else{
                    CookieUtil.removeCookie(res, "rememberme");
                }
            }
        }
        chain.doFilter(request, response);
    }

    @Override
    public void destroy() {
    }

    @Override
    public void init(FilterConfig filterConfig) throws ServletException {
    }
}

推荐答案

确实在所有过滤器之前调用了容器管理的身份验证.这是一个安全限制.

Container managed authentication is indeed invoked before all filters. This is a security restriction.

您基本上有3个选择:

• 改为使用编程过滤和登录，以便您获得更精细的控制.
• 改为在与login.jsf关联的bean的preRenderView事件方法中执行作业.
• 获取一个在容器托管安全性之上透明地支持记住我"功能的框架，例如Apache Shiro或Spring Security.

• Use programmatic filtering and login instead so that you have more finer grained control.
• Do the job in preRenderView event method of the bean associated with login.jsf instead.
• Grab a framework which supports "Remember me" facility on top of container managed security transparently, such as Apache Shiro or Spring Security.

这篇关于在我的过滤器之前，JSF表单登录页面重定向命中的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！