在模板中插入一些支票是否有问题? [英] Are there some issue at inserting some check into template?
问题描述
如果我在模板文件中插入一些支票会不会有问题?例如,如果我将用户检查插入模板的 xhtml 文件中,如果我在所有 xhtml 页面中使用此模板,可能会出现一些安全问题?
Are there some issues if I insert some check into the template file? For example if I insert the user check into the template's xhtml file it could be some security issue if I use this template in ALL my xhtml pages?
类似于:
<?xml version='1.0' encoding='UTF-8' ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
xmlns:ui="http://java.sun.com/jsf/facelets"
xmlns:h="http://java.sun.com/jsf/html">
<h:head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<title><ui:insert name="title">Default Title</ui:insert></title>
<h:outputStylesheet name="css/jsfcrud.css"/>
</h:head>
<h:body>
<h:panelGroup rendered="#{userBean.cognome!=null}">
Utente connesso:<h:outputText value="#{userBean.cognome}"/> <h:outputText value="#{userBean.nome}"/>
<h1><ui:insert name="title">Default Title</ui:insert></h1>
<p><ui:insert name="body">Default Body</ui:insert></p>
</h:panelGroup>
</h:body>
</html>
推荐答案
我了解到您在显示内容之前要检查登录用户是否存在.这样可能没问题,但是任何未登录就打开页面的用户将收到空白内容.这对用户不是很友好.您想将未登录的用户重定向到登录页面.
I understand that you're checking the presence of the logged-in user before displaying the content. This may be okay this way, but any user who opens the page without being logged-in will receive blank content. This is not very user friendly. You'd like to redirect a non-logged-in user to the login page.
如果您使用 Java EE 提供的容器管理身份验证,通常已经考虑到这一点.但是,如果您在国内进行身份验证,则需要为此创建一个 servlet 过滤器.如果您将所有受限页面收集在像 /app
这样的公共文件夹中,以便您可以为过滤器使用公共 URL 模式,例如/app/*
(并且把登录页面等所有公共页面outside这个文件夹),那么你应该可以过滤掉非登录用户如下,假设 #{userBean}
是会话范围的 JSF @ManagedBean
或您自己放入会话范围的某些会话属性:
This is normally already taken into account if you're using Java EE provided container managed authentication. But if you're homegrowing authentication, you'd need to create a servlet filter for this. If you collect all restricted pages in a common folder like /app
so that you can use a common URL pattern for the filter, e.g. /app/*
(and put all public pages such as the login page outside this folder), then you should be able to filter out non-logged-in users as follows, assuming that #{userBean}
is a session scoped JSF @ManagedBean
or some session attribute which you've put in session scope yourself:
@WebFilter("/app/*")
public class LoginFilter implements Filter {
@Override
public void init(FilterConfig config) throws ServletException {
// NOOP.
}
@Override
public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException {
HttpServletRequest request = (HttpServletRequest) req;
HttpServletResponse response = (HttpServletResponse) res;
HttpSession session = request.getSession(false);
UserBean user = (session != null) ? (UserBean) session.getAttribute("userBean") : null;
if (user == null || user.getCognome() == null) {
response.sendRedirect(request.getContextPath() + "/login.xhtml"); // No logged-in user found, so redirect to login page.
} else {
chain.doFilter(req, res); // Logged-in user found, so just continue request.
}
}
@Override
public void destroy() {
// NOOP.
}
}
另见:
- 如何处理用户的身份验证/授权数据库?
这篇关于在模板中插入一些支票是否有问题?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!