3

我的web.xml

    <context-param>
            <param-name>javax.faces.PROJECT_STAGE</param-name>
            <param-value>Development</param-value>
        </context-param>

        <welcome-file-list>
            <welcome-file>/secured/secure.xhtml</welcome-file>
        </welcome-file-list>

        <servlet>
            <servlet-name>Faces Servlet</servlet-name>
            <servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
            <load-on-startup>1</load-on-startup>
        </servlet>

        <servlet-mapping>
            <servlet-name>Faces Servlet</servlet-name>
            <url-pattern>*.xhtml</url-pattern>
        </servlet-mapping>

        <context-param>
            <param-name>javax.faces.INTERPRET_EMPTY_STRING_SUBMITTED_VALUES_AS_NULL</param-name>
            <param-value>true</param-value>
        </context-param> 
    <security-constraint>
        <web-resource-collection>
          <web-resource-name>Restricted</web-resource-name>
          <url-pattern>/secured/*</url-pattern>
          <http-method>GET</http-method>
          <http-method>POST</http-method>
        </web-resource-collection>
        <auth-constraint>
          <role-name>ADMIN</role-name>
        </auth-constraint>
      </security-constraint>
<login-config>
     <auth-method>FORM</auth-method>
     <realm-name>jdbc-realm</realm-name>
     <form-login-config>
       <form-login-page>/public/login.xhtml</form-login-page>
       <form-error-page>/public/error.xhtml</form-error-page>
     </form-login-config>
   </login-config>

我希望我的网络应用程序将未经授权的用户重定向到登录页面。有趣的是我有这个工作,但我做了一些愚蠢的改变,现在访问localhost:8080时我总是看到secure.xhtml,即使没有登录。localhost:8080/secured/secure.xhtml重定向很好。

4

1 回答 1

7

您没有<welcome-file>完全正确使用。它应该代表在请求文件夹时需要提供的文件的唯一文件名,而与请求的文件夹无关(根目录/、或/public//secured/等)。

欢迎文件由内部前锋提供,如RequestDispatcher#forward(). 内部转发不会触发安全约束。您需要改为发送重定向。

将 更改<welcome-file>为更合理的默认值,例如index.xhtml.

<welcome-file-list>
    <welcome-file>index.xhtml</welcome-file>
</welcome-file-list>

并在 webapp 的根目录中创建一个,例如/index.xhtml. 如果您需要将每个请求重定向/index.xhtml/secured/secure.xhtml,那么基本上有两种方法:

  1. 在方法Filter的 URL 模式上映射 a/index.xhtml并调用。例如response.sendRedirect("secured/secure.xhtml")doFilter()

    @WebFilter("/index.xhtml")
    public class IndexFilter implements Filter {
    
        @Override
        public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException {
            HttpServletResponse response = (HttpServletResponse) res;
            response.sendRedirect("secured/secure.xhtml"));
        }
    
        // ...
    }
    
  2. 将 a 放入<f:event type="preRenderView">其中/index.xhtml调用一个支持 bean 方法,该方法又执行一个externalContext.redirect("secured/secure.xhtml"). 例如

    <f:event type="preRenderView" listener="#{indexBean.redirect}" />
    

    @ManagedBean
    @ApplicationScoped
    public class IndexBean {
    
        public void redirect() throws IOException {
            FacesContext.getCurrentInstance().getExternalContext().redirect("secured/secure.xhtml");
        }
    
    }
    
于 2012-04-17T14:37:25.293 回答