使用会话和cookie进行Servlet身份验证 [英] Servlet authentication using sessions and cookies
问题描述
我需要实现简单的servlet用户身份验证(在Java Dynamic Web Project中),但是有些事情使我非常困惑.
I need to implement simple servlet user authentication (in Java Dynamic Web Project) but there are things that confuse me quite a bit.
首先,尽管出于某种原因,该servlet创建了cookie JSESSIONID
,但我从未要求这样做.而且,如果执行 request.addCookie(new Cookie("JSESSIONID",session.getId()))
,我将无法更改其值,
Firstly, the servlet for some reason creates the cookie JSESSIONID
although I never ask it to. And moreover, I cannot change its value, if I do request.addCookie(new Cookie("JSESSIONID", session.getId()))
, it makes something like this:
Cookie: JSESSIONID=6B5B441038414B4381EDB7470018F90E; JSESSIONID=7890D45DF445635C49BDEB3CADA8AD99; .......
因此,它复制了cookie.
so, it duplicates the cookie.
其次,我不确定在哪里比较cookie和会话的ID,以及在哪里以及如何正确创建会话(即 request.getSession(true?/false?/none?);
)
Secondly, I'm not sure where to compare cookie and session's id, and where and how to create session correctly (i.e. request.getSession(true? / false? / nothing?);
)
我已经阅读了一些文档,但仍然需要帮助.
I've read some documentation but still need help.
我有servlet HomeServlet
,如果用户未通过身份验证,则应该将用户重定向到 authentication
页面.
I have the servlet HomeServlet
which shoud redirect user to authentication
page if the user is not authenticated.
这是我的操作方式( HomeServlet.java
):
Here's how I do that (HomeServlet.java
):
protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
if(request.getSession().getAttribute("user") != null) {
request.getRequestDispatcher("/WEB-INF/index.jsp").forward(request, response);
} else {
response.sendRedirect("authentication");
}
}
我还具有 AuthServlet
,该代码为jsp页面提供身份验证表单并验证用户.
And I also have AuthServlet
which serves jsp page with authentication forms and validates users.
AuthServlet.java
:
protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
String action = request.getParameter("ACTION");
if ("login".equals(action)) {
String[] result = doSomeValidations();
if (result.size() > 0) { // show validation errors
request.setAttribute("errorLoginMessage", result);
request.setAttribute("email", email);
doGet(request, response);
} else { // authenticate user
request.getSession().setAttribute("user", userObject);
request.getRequestDispatcher("/WEB-INF/index.jsp").forward(request, response);
}
} else if ("signup".equals(action)) {
// ...........................
} else {
doGet(request, response);
}
}
那么,您能帮助我理解这一点吗?如何实现用户身份验证并在整个会话过程中保持用户登录状态?
So, could you help me with understanding that? How do I implement user authentication and keep the user logged in throughout the session?
推荐答案
首先,由于某种原因,servlet创建了cookie JSESSIONID尽管我从不要求
Firstly, the servlet for some reason creates the cookie JSESSIONID although I never ask it to
HttpSession jsession = request.getSession();
您正在此处请求会话,容器会以响应方式创建 JSESSIONID
cookie
you are requesting a session here and JSESSIONID
cookie is created by the container in response
如何正确创建会话request.getSession(true?/false?/什么?);
how to create session correctly request.getSession(true? / false? / nothing?);
request.getSession()
和 request.getSession(true)
完全相同,如果需要,它们会启动一个新会话,但是 request.getSession(false)
表示是否已经有一个会话使用,但如果没有,则不要开始.您想如何开始会话以及在何处开始完全取决于您的要求
request.getSession()
and request.getSession(true)
are exactly the same they start a new session if needed ,but request.getSession(false)
means if there is already a session use it but if there isn't don't start one.
How and where you want to start the session is dependent entirely on your requirements
response.addCookie(new Cookie("JSESSIONID", jsession.getId()));
您不可以自己添加 JSESSIONID
cookie,容器会为您完成.
you are not suppossed to add a JSESSIONID
cookie yourself , the container will do it for you .
此外,您还应该在您的应用中创建一次会话,一旦 JSESSIONID
cookie存储在用户的浏览器中(启用了cookie)(它将启用),它将随请求一起发送.
Also you should create session once in your app , once the JSESSIONID
cookie is stored in the user's browser(provided cookies are enabled) ,it will be sent along with the request.
我如何实现用户身份验证
How do I implement user authentication
主观性强且取决于要求,您可以阅读 https://docs.oracle.com/cd/E19226-01/820-7627/bncby/index.html
Highly subjective and depends on requirements , you can read this https://docs.oracle.com/cd/E19226-01/820-7627/bncby/index.html
在整个会话过程中保持用户登录
keep the user logged in throughout the session
您的会话Cookie将在用户通过身份验证后为您提供帮助,例如登录Facebook并保持"cookie"标签保持打开状态
Your session cookies will help you with that once the user has been authenticated ,as an example login to facebook and keep your cookies tab open
这篇关于使用会话和cookie进行Servlet身份验证的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!