JSF转发和安全性约束问题 [英] Problem with JSF forwarding and security constraint
问题描述
我正在制作其中某些页面受登录保护的Web应用程序.我为此在glassfish中创建了一个JDBC安全领域,并使用了表单身份验证(类似于方法
I'm making a web application in which certain pages are login-protected. I have created a JDBC security realm in glassfish for this, and used Form authentication (Similar to the method described here)
我正在使用导航规则将用户重定向到网站的安全区域:
I'm using Navigation rules to redirect the user to the secured areas of the website:
<navigation-case>
<from-outcome>showResults</from-outcome>
<to-view-id>/SecureUser/Reservation/New/AvailableResults.xhtml</to-view-id>
<redirect/>
</navigation-case>
(etc...)
这很好.但是,如果我在导航案例中跳过了重定向标记,则页面的URL不会改变.在这种情况下,未经身份验证的用户可以访问受保护的页面.
This works fine. But if I skip the redirect tag in the navigation-case, then the URL of the page doesn't change. And in that case, an unauthenticated user is able to access the secured page.
解决此问题的最佳方法是什么?确保页面被重定向而不是转发就足够了吗?我是否应该在每个检查用户是否已登录的安全页面中编写代码?
What is the best way to go about this? Making sure that the page is redirected instead of forwarded is good enough? Should I write code in every secured page that checks whether the user is logged in or not?
推荐答案
使用POST进行页到页导航被认为是不好的做法.不要将JSF h:commandLink或h:commandButton用于简单的页面到页面导航.两者都生成完全不必要的POST形式,并且SEO不友好,以便进行简单导航.而是使用h:link或h:button代替.它分别呈现了普通的GET链接和GET表单.
Using POST for page-to-page navigation is considered bad practice. Don't use JSF h:commandLink or h:commandButton for simple page-to-page navigation. Both generates a POST form which is totally unnecessary and SEO-unfriendly for simple navigation. Rather use h:link or h:button instead. It renders a plain vanilla GET link and GET form respectively.
如果您仍在提交POST表单,而结果页面与表单页面不同,则使用
If you are submitting a POST form anyway and the result page is different from the form page, then using PRG (Post-Redirect-Get) pattern is considered good practice. You can use <redirect/> for this.
这篇关于JSF转发和安全性约束问题的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
