JSF转发和安全性约束问题 [英] Problem with JSF forwarding and security constraint

查看:76
本文介绍了JSF转发和安全性约束问题的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我正在制作其中某些页面受登录保护的Web应用程序.我为此在glassfish中创建了一个JDBC安全领域,并使用了表单身份验证(类似于方法

I'm making a web application in which certain pages are login-protected. I have created a JDBC security realm in glassfish for this, and used Form authentication (Similar to the method described here)

我正在使用导航规则将用户重定向到网站的安全区域:

I'm using Navigation rules to redirect the user to the secured areas of the website:

<navigation-case>
        <from-outcome>showResults</from-outcome>
        <to-view-id>/SecureUser/Reservation/New/AvailableResults.xhtml</to-view-id>
        <redirect/>
</navigation-case>
(etc...)

这很好.但是,如果我在导航案例中跳过了重定向标记,则页面的URL不会改变.在这种情况下,未经身份验证的用户可以访问受保护的页面.

This works fine. But if I skip the redirect tag in the navigation-case, then the URL of the page doesn't change. And in that case, an unauthenticated user is able to access the secured page.

解决此问题的最佳方法是什么?确保页面被重定向而不是转发就足够了吗?我是否应该在每个检查用户是否已登录的安全页面中编写代码?

What is the best way to go about this? Making sure that the page is redirected instead of forwarded is good enough? Should I write code in every secured page that checks whether the user is logged in or not?

推荐答案

使用POST进行页到页导航被认为是不好的做法.不要将JSF h:commandLinkh:commandButton用于简单的页面到页面导航.两者都生成完全不必要的POST形式,并且SEO不友好,以便进行简单导航.而是使用h:linkh:button代替.它分别呈现了普通的GET链接和GET表单.

Using POST for page-to-page navigation is considered bad practice. Don't use JSF h:commandLink or h:commandButton for simple page-to-page navigation. Both generates a POST form which is totally unnecessary and SEO-unfriendly for simple navigation. Rather use h:link or h:button instead. It renders a plain vanilla GET link and GET form respectively.

如果您仍在提交POST表单,而结果页面与表单页面不同,则使用

If you are submitting a POST form anyway and the result page is different from the form page, then using PRG (Post-Redirect-Get) pattern is considered good practice. You can use <redirect/> for this.

这篇关于JSF转发和安全性约束问题的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!

查看全文
登录 关闭
扫码关注1秒登录
发送“验证码”获取 | 15天全站免登陆