1

我正在过渡到 GlassFish 3.1.2,但似乎无法解决身份验证问题。

议程很简单:我想要一个登录 bean 为用户进行编程身份验证。身份验证似乎有效(代码通过 login() 方法),但服务器最终显示受保护资源的 403 ......请帮助:)

这里有更多细节。有一个带有名称/密码对的纯 JSF 登录页面:

<ui:composition xmlns="http://www.w3.org/1999/xhtml"
    xmlns:h="http://java.sun.com/jsf/html"
    xmlns:f="http://java.sun.com/jsf/core"
    xmlns:ui="http://java.sun.com/jsf/facelets"
    xmlns:p="http://primefaces.org/ui" template="/templates/main.xhtml">

    <ui:define name="body">
        <h:form id="form">
            <p:messages />

            <p:panel>
                <h:panelGrid>
                    <h:outputText value="User Name" />
                    <p:inputText value="#{loginBean.userName}" id="userName"
                        required="true" />
                    <p:message for="userName" />

                    <h:outputText value="Password" />
                    <p:password value="#{loginBean.password}" id="password"
                        required="true" />
                    <p:message for="password" />

                </h:panelGrid>

                <h:panelGrid columns="2">
                    <p:commandButton value="Clear"
                        actionListener="#{loginBean.clear()}" ajax="false" />

                    <p:commandButton value="Login" action="#{loginBean.login()}"
                        ajax="false" />
                </h:panelGrid>
            </p:panel>
        </h:form>
    </ui:define>
</ui:composition>

和一个执行登录的 bean

@Named("loginBean")
@SessionScoped
public class LoginBean implements Serializable {

    private static final long serialVersionUID = 1L;

    @Inject
    @Named("dao")
    private Dao dao;

    private String userName;

    private String password;

    @Inject
    private UserBean userBean;

    ...

    public String login() {
        HttpServletRequest request = (HttpServletRequest) FacesContext
                .getCurrentInstance().getExternalContext().getRequest();

        try {
            request.login(getUserName(), getPassword());

            Principal principal = request.getUserPrincipal();

            logger.info("Logged in successfully: " + principal);
        } catch (ServletException e) {
            Messages.addError("Invalid user name or password.");
            return null;
        }

        User user = dao.findSingle("SELECT u FROM User AS u WHERE u.name = ?1",
                getUserName());

        if (user == null) {
            logger.severe("Unable to find user record after successful authentication");

            Messages.addError("Unable to load user record");
            try {
                request.logout();
            } catch (ServletException e) {
                logger.log(Level.SEVERE, "Unable to logout after failed login attempt", e);
            }
            return null;
        }

        getUserBean().setUser(user);

        return "/list/list.xhtml?faces-redirect=true";
    }

    ... 

    accessors

    ...
}

这是我的 web.xml

<?xml version='1.0' encoding='UTF-8'?>

<web-app version="3.0" xmlns="http://java.sun.com/xml/ns/javaee"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd">

    <display-name>GM</display-name>

    <context-param>
        <param-name>javax.faces.PROJECT_STAGE</param-name>
        <param-value>Development</param-value>
    </context-param>

    <!-- Faces Servlet -->
    <servlet>
        <servlet-name>Faces Servlet</servlet-name>
        <servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
        <load-on-startup>1</load-on-startup>
    </servlet>

    <servlet-mapping>
        <servlet-name>Faces Servlet</servlet-name>
        <url-pattern>*.xhtml</url-pattern>
    </servlet-mapping>

    <login-config>
        <realm-name>gmRealm</realm-name>
    </login-config>

    <security-role>
        <role-name>user</role-name>
    </security-role>

    <security-role>
        <role-name>admin</role-name>
    </security-role>

    <security-constraint>
        <web-resource-collection>
            <web-resource-name>Protected Area</web-resource-name>
            <url-pattern>/list/*</url-pattern>
        </web-resource-collection>
        <auth-constraint>
            <role-name>user</role-name>
        </auth-constraint>
    </security-constraint>

    <security-constraint>
        <web-resource-collection>
            <web-resource-name>Admin Area</web-resource-name>
            <url-pattern>/admin/*</url-pattern>
        </web-resource-collection>
        <auth-constraint>
            <role-name>admin</role-name>
        </auth-constraint>
    </security-constraint>

    <welcome-file-list>
        <welcome-file>login.xhtml</welcome-file>
    </welcome-file-list>

</web-app>

这是项目的文件夹结构:

文件夹结构

我还能够按照此处讨论的方式设置领域:http: //blog.gamatam.com/2009/11/jdbc-realm-setup-with-glassfish-v3.html

没什么特别的,AFAICT。

但是,每当我在成功登录后访问受保护的资源时,我都会得到:

HTTP Status 403 - Access to the requested resource has been denied

尽管服务器日志包含以下消息:

INFO: Logged in successfully: nick

另请注意,当我从 login() 方法的返回值中删除“?faces-redirect = true”时,初始受保护资源在登录后立即呈现,但所有后续请求都失败并出现 403。

这是它在调试器中显示的内容:

调试视图

我也认为我已经完成了我的功课:

使用 j_security_check 在 Java EE / JSF 中执行用户身份验证

使用 Servlet 3.0 以编程方式控制登录

JSF 2.0 简单登录页面

Glassfish 3 安全性 - 使用 JDBC 领域的基于表单的身份验证

请帮忙...

4

2 回答 2

0

Oh, well, I guess this one is too deployment specific. I ended up re-conding the prototype in Spring for Tomcat stack. Works like charm now :).

于 2012-08-20T18:26:53.433 回答
-1

我认为您在 Spring Security 中不允许使用 jsf 资源。在 http 标记的 security.xml 中添加以下行。

<http .........>
    <intercept-url pattern="/javax.faces.resource/**" access="permitAll"/>
</http>
于 2016-08-24T06:21:13.807 回答