在模板中插入一些支票是否有问题? [英] Are there some issue at inserting some check into template?

问题描述

如果我在模板文件中插入一些支票会不会有问题?例如，如果我将用户检查插入模板的 xhtml 文件中，如果我在所有 xhtml 页面中使用此模板，可能会出现一些安全问题?

Are there some issues if I insert some check into the template file? For example if I insert the user check into the template's xhtml file it could be some security issue if I use this template in ALL my xhtml pages?

类似于:

<?xml version='1.0' encoding='UTF-8' ?> 
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
      xmlns:ui="http://java.sun.com/jsf/facelets"
      xmlns:h="http://java.sun.com/jsf/html">
    <h:head>
        <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
        <title><ui:insert name="title">Default Title</ui:insert></title>
        <h:outputStylesheet name="css/jsfcrud.css"/>
    </h:head>
    <h:body>
        <h:panelGroup rendered="#{userBean.cognome!=null}">
            Utente connesso:<h:outputText value="#{userBean.cognome}"/>&nbsp;<h:outputText value="#{userBean.nome}"/>
            <h1><ui:insert name="title">Default Title</ui:insert></h1>
            <p><ui:insert name="body">Default Body</ui:insert></p>
        </h:panelGroup>
    </h:body>
</html>

推荐答案

我了解到您在显示内容之前要检查登录用户是否存在.这样可能没问题，但是任何未登录就打开页面的用户将收到空白内容.这对用户不是很友好.您想将未登录的用户重定向到登录页面.

I understand that you're checking the presence of the logged-in user before displaying the content. This may be okay this way, but any user who opens the page without being logged-in will receive blank content. This is not very user friendly. You'd like to redirect a non-logged-in user to the login page.

如果您使用 Java EE 提供的容器管理身份验证，通常已经考虑到这一点.但是，如果您在国内进行身份验证，则需要为此创建一个 servlet 过滤器.如果您将所有受限页面收集在像 /app 这样的公共文件夹中，以便您可以为过滤器使用公共 URL 模式，例如/app/*(并且把登录页面等所有公共页面outside这个文件夹)，那么你应该可以过滤掉非登录用户如下，假设 #{userBean} 是会话范围的 JSF @ManagedBean 或您自己放入会话范围的某些会话属性:

This is normally already taken into account if you're using Java EE provided container managed authentication. But if you're homegrowing authentication, you'd need to create a servlet filter for this. If you collect all restricted pages in a common folder like /app so that you can use a common URL pattern for the filter, e.g. /app/* (and put all public pages such as the login page outside this folder), then you should be able to filter out non-logged-in users as follows, assuming that #{userBean} is a session scoped JSF @ManagedBean or some session attribute which you've put in session scope yourself:

@WebFilter("/app/*")
public class LoginFilter implements Filter {

    @Override
    public void init(FilterConfig config) throws ServletException {
        // NOOP.
    }

    @Override
    public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException {
        HttpServletRequest request = (HttpServletRequest) req;
        HttpServletResponse response = (HttpServletResponse) res;
        HttpSession session = request.getSession(false);
        UserBean user = (session != null) ? (UserBean) session.getAttribute("userBean") : null;

        if (user == null || user.getCognome() == null) {
            response.sendRedirect(request.getContextPath() + "/login.xhtml"); // No logged-in user found, so redirect to login page.
        } else {
            chain.doFilter(req, res); // Logged-in user found, so just continue request.
        }
    }

    @Override
    public void destroy() {
        // NOOP.
    }

}

另见:

• 如何处理用户的身份验证/授权数据库?

这篇关于在模板中插入一些支票是否有问题?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！