我发现这篇文章如何基于会话 cookie 创建用户会话过滤器。
基于几个教程,我创建了这个简单的示例:
<filter>
<filter-name>SessionFilter</filter-name>
<filter-class>com.DX_57.AC_57.SessionFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>SessionFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<error-page>
<error-code>401</error-code>
<location>DX-57/SR-57</location>
</error-page>
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
// ! Don't forget configuration in web.xml
public class SessionFilter implements Filter
{
private FilterConfig filterConfig = null;
public SessionFilter()
{
}
@Override
public void init(FilterConfig filterConfig) throws ServletException
{
this.filterConfig = filterConfig;
}
@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException
{
HttpServletRequest req = (HttpServletRequest) request;
HttpServletResponse res = (HttpServletResponse) response;
if (req.getUserPrincipal() == null)
{
req.getSession().setAttribute("from", req.getRequestURI());
res.sendRedirect("DX-57/SR-57/Home.jsf");
}
else
{
chain.doFilter(request, response);
}
}
@Override
public void destroy()
{
}
}
进入教程我发现session cookie是用来识别用户的。但是我可以使用例如浏览器 ID 或其他独特的东西来创建和验证用户会话吗?保护 JSF 应用程序的最佳实践是什么?