1

我正在使用 SessionFilter servlet 来验证用户,然后向他们授予系统访问权限。我的受限文件位于名为“com.shadibandhan.Restricted”的文件夹中。会话过滤器工作正常。

这是sessionfilter servlet的相关代码

@Override
public void doFilter(ServletRequest req, ServletResponse res,
        FilterChain chain) throws IOException, ServletException {

    HttpServletRequest request = (HttpServletRequest) req;
    HttpServletResponse response = (HttpServletResponse) res;
    String servletPath = request.getServletPath();
    String contextPath = request.getContextPath();
    String remoteHost = request.getRemoteHost();
    String url = contextPath + servletPath;
    boolean allowedRequest = false;

    if (urlList.contains(servletPath)) {
        allowedRequest = true;
    }

    if (!allowedRequest) {
        HttpSession session = request.getSession(false);
        if (null == session) {

            System.out.println("Session is not present");
            response.sendRedirect(contextPath);
            return;

        } if (null != session) {
            //String loggedIn = (String) session.getAttribute("sb_logged_in");
            System.out.println("Session is present");
            System.out.println("\nSession no. is = " + session.getId());

            if (session.getAttribute("logged-in") == "true") {
                System.out.println("Session logged-in attribute is true, " + session.getAttribute("sessionUsername") + " is logged in.");

                //ServletContext context = request.getServletContext();
                RequestDispatcher dispatcher = request.getRequestDispatcher(servletPath);
                dispatcher.forward(request, response);
            } else {
                System.out.println("Session logged-in attribute is not true");
                response.sendRedirect(contextPath);
            }
        }
    }

    chain.doFilter(req, res);
}

现在,当用户登录时,我将他的用户名和配置文件 ID 放在 httpsession 中,这是与登录页面绑定的 bean。

@ManagedBean
@SessionScoped
public class UserLoginManagedBean {

    private User user = null;
    private String username = null;
    private String password = null;
    private ServiceProvider server = null;
    HttpServletRequest request = null;
    HttpServletResponse response = null;
    HttpSession session = null;
    private Date date;
    private int profileActiveness=0;
    private int profileActivenessPercentage=0;

    public UserLoginManagedBean() {
        this.user = new User();
        this.server = ServiceProvider.getInstance();
    }

    public String validateLogin() {

        System.out.println("Inside validate login");
        boolean isUserValid = false;

        System.out.println(this.username + " " + this.password);

        isUserValid = this.authenticate(username, password);

        if (isUserValid) {
            //this.user = found;
            System.out.println("User is valid---Redirecting to messages.xhtml");
            return "com.shadibandhan.Restricted/profile.xhtml?faces-redirect=true";

        } else {
            //addGlobalErrorMessage("Unknown login, please try again");
            return null;
        }
    }

    public boolean authenticate(String username, String password) {
        boolean isUserValid = false;
        String status = null;

        //isUserValid = this.server.authenticateUser(this.username, this.password);

        this.user = (User) this.server.getRecordByTwoColumns(User.class, "username" , this.username, "password", this.password);

        if(null != this.user){
            isUserValid = true;
        }else{
            isUserValid = false;
        }

        if (isUserValid) {

            FacesContext context = FacesContext.getCurrentInstance();
            this.request = (HttpServletRequest) context.getExternalContext().getRequest();
            this.response = (HttpServletResponse) context.getExternalContext().getResponse();
            this.session = request.getSession(true);
//                 if there's no session, it'll creat a new one due to the true flag


            status = this.updateUserRecord();


            if (status.equals("success")) {
                if (null != this.session) {

                    session.setAttribute("sessionUsername", this.user.getUsername());
                    session.setAttribute("sessionProfileId", this.user.getProfile().getProfileId());
                    session.setAttribute("logged-in", "true");

                    System.out.println("Session username is --->" + session.getAttribute("sessionUsername"));
                }

            } else {
                isUserValid = false;
                FacesMessage msg = new FacesMessage("Something went wrong");
                FacesContext.getCurrentInstance().addMessage(null, msg);
            }
        }

        return isUserValid;
    }

    public String logOut() {
        FacesContext context = FacesContext.getCurrentInstance();
        System.out.println("inside logout method");
        this.request = (HttpServletRequest) context.getExternalContext().getRequest();

        if (null != this.request) {

            this.session = request.getSession(false);
            session.invalidate();
            System.out.println("Session is now invalidated");
            return "../index.xhtml?faces-redirect=true";
        } else {
            System.out.println("You're already signed out");
            return null;
        }
    }

    private String updateUserRecord() {
        String status = null;

       Date lastLoginDate=this.user.getLastLogin();
       Date currentDate= new Date();
       this.profileActiveness=this.user.getProfileActiveness();


                SimpleDateFormat format = new SimpleDateFormat("yy-MM-dd HH:mm:ss");

        try {
            lastLoginDate = format.parse(lastLoginDate.toString());
            currentDate = format.parse(currentDate.toString());
        } catch (ParseException e) {
            e.printStackTrace();
        }    

        // Get msec from each, and subtract.
        long diff = currentDate.getTime() - lastLoginDate.getTime();
        long diffSeconds = diff / 1000;         
        long diffMinutes = diff / (60 * 1000);         
        long diffHours = diff / (60 * 60 * 1000);                      
        System.out.println("Time: " + diff + " .");
        System.out.println("Time in seconds: " + diffSeconds + " seconds.");         
        System.out.println("Time in minutes: " + diffMinutes + " minutes.");         
        System.out.println("Time in hours: " + diffHours + " hours.");
        if(diffHours<12)
        {
            if(profileActiveness<8){
            profileActiveness++;
            profileActivenessPercentage=(int) (profileActiveness*12.5);
            this.user.setProfileActiveness(this.profileActiveness);
            }
            }
        if(diffHours>71)
        {
            if(profileActiveness>2){
            profileActiveness-=2;
            profileActivenessPercentage=(int) (profileActiveness*12.5);
            this.user.setProfileActiveness(this.profileActiveness);
            }
            else{
            profileActiveness=0;
            }
        }



        this.user.setLastLogin(this.getCurrentDate());
        this.user.setLoginStatus(true);

        status = this.server.updateObject(this.user);

        return status;
    }

    // ...
}

而且,在另一个名为 MessagesManagedBean 的托管 bean(请求范围)中,当我在用户登录后尝试获取配置文件 id 时,它就像一个魅力。

现在,我有两个问题:

  1. 每当我尝试从受限文件夹访问页面时,该页面绑定了一个 bean,其中包含一些与 http 会话相关的代码,在本例中为 MessagesManagedBean,它给了我一个无法实例化 bean 异常,因为我正在获取属性在构造函数中,为什么?
  2. 甚至,当我没有登录时,每当我尝试访问与它绑定的页面时,它都会调用 bean 构造函数。
4

1 回答 1

3

chain.doFilter()在致电后继续请求response.sendRedirect()sendRedirect()仅使用浏览器将处理的新 URL 设置响应Location标头。但是如果你继续请求chain.doFilter(),那么整个JSF流程仍然会被执行。

您需要return;在调用后添加一条语句sendRedirect()以退出过滤器。

} else {
    System.out.println("Session logged-in attribute is not true");
    response.sendRedirect(contextPath);
    return;
}

与具体问题无关,您在会话范围 bean 中存在重大设计错误。您永远不应该将 HTTP 请求、响应和会话分配为 bean 的实例变量。这使您的会话范围 bean 线程不安全。删除所有这些属性并仅在同一方法块内声明它们为线程本地的。

于 2012-06-12T15:58:02.110 回答