JSF 中的基本安全性 [英] Basic Security in JSF
问题描述
我希望看到一个简单的登录应用程序,但不像这个那么简单.
I would like to see a simple Login Application, not as simple as this though.
我想实现的是对 JSF 的工作原理的理解,我开发了很多 ASP.NET,您可以在其中隐藏代码,并且您可以在其中检查是否在登录时创建了会话.
What I would like to achieve is an understanding on how JSF works, I've developed a lot of ASP.NET where you have the code behind and where you can just check if a session was created upon Login.
JSF 中的类似解决方案会很棒.
A similar solution in JSF would be great.
这基本上就是我想要实现的:
This is basically what I want to achieve:
- 登录页面
- 如果没问题
- 创建会话并返回成功"
- 返回失败"
(成功"和失败被映射到faces-config.xml)
(The "success" and failure are mapped to faces-config.xml)
在成功页面,我想确定用户已登录,因此如果您没有获得正确的会话,应该无法导航到success.jspx".
At the success-page I want to be Certain that the user is logged in, so one should Not be able to navigate to "success.jspx" if you have not got the correct session.
推荐答案
除了能够使用面向基于角色的安全性的组件
rendered属性之类的东西之外,核心 JSF 中没有任何固有的身份验证功能.There is no inherent authentication functionality in core JSF beyond being able to use things like component
renderedattributes geared towards role-based security.默认情况下,JSF 应用程序依赖于与包含它的 Web 组件相同的容器管理的安全机制 (JEE5 教程).像 Seam 这样的第三方框架可以提供替代方案.
By default, a JSF application relies on the same container-managed security mechanisms as the web component that contains it (JEE5 tutorial). 3rd party frameworks like Seam can provide alternatives.
如果要添加自己的应用程序安全性,一个 servlet 过滤器 是一种更简单的机制.
If you want to add your own application security, a servlet filter is one of the simpler mechanisms.
此过滤器保护
restricted目录下的资源,如web.xml所定义:This filter protects resources under the
restricteddirectory as defined inweb.xml:<filter> <filter-name>AuthenticationFilter</filter-name> <filter-class>restricted.AuthenticationFilter</filter-class> </filter> <filter-mapping> <filter-name>AuthenticationFilter</filter-name> <url-pattern>/restricted/*</url-pattern> </filter-mapping>过滤器类实现:
public class AuthenticationFilter implements Filter { private FilterConfig config; public void doFilter(ServletRequest req, ServletResponse resp, FilterChain chain) throws IOException, ServletException { if (((HttpServletRequest) req).getSession().getAttribute( AuthenticationBean.AUTH_KEY) == null) { ((HttpServletResponse) resp).sendRedirect("../restricted_login.faces"); } else { chain.doFilter(req, resp); } } public void init(FilterConfig config) throws ServletException { this.config = config; } public void destroy() { config = null; } }faces-config.xml中定义的登录 bean:A login bean defined in
faces-config.xml:public class AuthenticationBean { public static final String AUTH_KEY = "app.user.name"; private String name; public String getName() { return name; } public void setName(String name) { this.name = name; } public boolean isLoggedIn() { return FacesContext.getCurrentInstance().getExternalContext() .getSessionMap().get(AUTH_KEY) != null; } public String login() { FacesContext.getCurrentInstance().getExternalContext().getSessionMap().put( AUTH_KEY, name); return "secret"; } public String logout() { FacesContext.getCurrentInstance().getExternalContext().getSessionMap() .remove(AUTH_KEY); return null; } }restricted_login.jsp页面中的 JSF 登录表单:The JSF login form in the
restricted_login.jsppage:<f:view> <p><a href="restricted/secret.faces">try to go to secret page</a></p> <h:form> Username: <h:panelGroup rendered="#{not authenticationBean.loggedIn}"> <h:inputText value="#{authenticationBean.name}" /> <h:commandButton value="login" action="#{authenticationBean.login}" /> </h:panelGroup> <h:commandButton value="logout" action="#{authenticationBean.logout}" rendered="#{authenticationBean.loggedIn}" /> </h:form> </f:view>(选择重定向 URL/机制是为了简洁而不是任何类型的最佳实践;请参阅 Servlet API 以获得更多选项.)
(The redirect URL/mechanism was chosen for brevity rather than any sort of best practice; see the Servlet API for more options.)
这篇关于JSF 中的基本安全性的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
