Primefaces登录应用程序 [英] Primefaces Login Application
问题描述
可能重复:
JSF HTTP会话登录
我使用Primefaces来实现我的网站应用。在我的实现中,用户可以登录系统,然后他们可以通过复制该URL而无需再次登录来再次加载重定向的页面。我该如何防止这种情况?
I am using Primefaces to implement my web application. In my implementation the user can log in to the system, then they can load the redirected pages again by copying that URL without login again. How can I prevent this?
这是我的登录逻辑:
public String doLogin() {
if(username != null &&
username.equals("admin") &&
password != null &&
password.equals("admin")) {
msg = "table?faces-redirect=true";
} else
if(user_name.contains(username) &&
pass_word.contains(password) &&
!user_name.contains("admin")) {
msg = "table1?faces-redirect=true";
}
}
return msg;
}
推荐答案
如果用户会话没有' t过期,那么这是Web应用程序的正常行为。如果会话已过期,则必须确保有一个已登录的用户,并且该用户有权访问他/她在URL中使用的页面。您可以使用过滤器实现此目的。
If the user session hasn't expired, then this is normal behavior for web applications. If the session has expired, then you must make sure there is a logged user and that is has the privileges to access to the page he/she's using in the URL. You can achieve this using a Filter.
我假设您的Web应用程序位于Java EE 6容器(如Tomcat 7或GlassFish 3.x)上:
I'm assuming your web app is on a Java EE 6 container like Tomcat 7 or GlassFish 3.x:
@WebFilter(filterName = "MyFilter", urlPatterns = {"/*.xhtml"})
public class MyFilter implements Filter {
public void doFilter(
ServletRequest request, ServletResponse response, FilterChain chain)
throws IOException, ServletException {
//get the request page
String requestPath = httpServletRequest.getRequestURI();
if (!requestPath.contains("home.xhtml")) {
boolean validate = false;
//getting the session object
HttpServletRequest httpServletRequest = (HttpServletRequest) request;
HttpSession session = (HttpSession)httpServletRequest.getSession();
//check if there is a user logged in your session
//I'm assuming you save the user object in the session (not the managed bean).
User user = (User)session.get("LoggedUser");
if (user != null) {
//check if the user has rights to access the current page
//you can omit this part if you only need to check if there is a valid user logged in
ControlAccess controlAccess = new ControlAccess();
if (controlAccess.checkUserRights(user, requestPath)) {
validate = true;
//you can add more logic here, like log the access or similar
}
}
if (!validate) {
HttpServletResponse httpServletResponse = (HttpServletResponse) response;
httpServletResponse.sendRedirect(
httpServletRequest.getContextPath() + "/home.xhtml");
}
}
chain.doFilter(request, response);
}
}
ControlAccess类的一些实现:
Some implementation for your ControlAccess class:
public class ControlAccess {
public ControlAccess() {
}
public boolean checkUserRights(User user, String path) {
UserService userService = new UserService();
//assuming there is a method to get the right access for the logged users.
List<String> urlAccess = userService.getURLAccess(user);
for(String url : urlAccess) {
if (path.contains(url)) {
return true;
}
}
return false;
}
}
在寻找解释这个问题的好方法时,我找到了BalusC(JSF专家)的更好答案。这是基于JSF 2的:
While looking for a nice way to explain this, I found a better answer from BalusC (JSF expert). This is JSF 2 based:
- JSF HTTP Session Login
这篇关于Primefaces登录应用程序的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
