0

我真的需要任何帮助。我有一个在 tomcat 6 上运行 PrimeFaces 的 JSF 应用程序。

我以为我已经完成了应用程序,但是在测试它时,我发现了一个巨大的问题。当我在计算机 1 上使用用户(例如“admin”)登录应用程序,然后在计算机 2 上使用另一个用户(例如“peter”)登录时,computer1 现在无法访问允许用户 admin 访问的页面。如果我稍后以管理员用户身份再次登录计算机 1,那么现在在计算机 2 中,彼得可以访问所有允许管理的页面。

就像我对所有的 tomcat 会话或类似的东西都有一个会话。

我搜索了抛出我的应用程序,但没有发现 @applicationScoped 的任何内容,我拥有所有 @sessionScoped bean。

我不知道该怎么办。请帮忙。

我在这里附上我的自定义过滤器:

public abstract class AbstractLoginFilter implements javax.servlet.Filter {

protected ServletContext servletContext;

@Override
public void init(FilterConfig filterConfig) {
    servletContext = filterConfig.getServletContext();
}

@Override
public void doFilter(
        ServletRequest request, ServletResponse response, FilterChain chain)
        throws IOException, ServletException {
    HttpServletRequest req = (HttpServletRequest) request;
    HttpServletResponse resp = (HttpServletResponse) response;
    String pageReq = req.getRequestURL().toString();        
    HttpSession session = req.getSession(false);

    String[] temp = pageReq.split("/faces", 2);

    String url = temp[1];
    resp.setCharacterEncoding("UTF-8");
    req.setCharacterEncoding("UTF-8");

    if ("/login.xhtml".equals(url)) { 

        continueExecution(chain, request, response);
    } else {

        if (session == null) {

            //session timeout check.
            if (req.getRequestedSessionId() != null && !req.isRequestedSessionIdValid()) {

                System.out.println("La sesión ha expirado");
                session = req.getSession(true);

                //si es un ajax
                if ("partial/ajax".equals(req.getHeader("Faces-Request"))) {
                    resp.setContentType("text/xml");
                    resp.getWriter().append("<?xml version=\"1.0\" encoding=\"UTF-8\"?>").printf("<partial-response><redirect url=\"%s\"></redirect></partial-response>", "/Autorack/faces/login.xhtml");
                } else {
                    resp.sendRedirect("/Autorack/faces/login.xhtml");
                }
            }
        } else {
            if (Global.getLoggedUser() == null) {
                resp.sendRedirect("/Autorack/faces/login.xhtml");
            } else {
                if (isPublicPage(url) || isAuth(url)) {
                    continueExecution(chain, request, response);
                } else {

                    resp.sendRedirect("/Autorack/faces/noAutorizacion.xhtml");
                }
            }
        }
    }
}

private void continueExecution(FilterChain chain, ServletRequest request, ServletResponse response) throws ServletException, IOException {
    HttpServletRequest req = (HttpServletRequest) request;
    HttpServletResponse resp = (HttpServletResponse) response;

    //when i make a BACK
    if (!req.getRequestURI().startsWith(req.getContextPath() + ResourceHandler.RESOURCE_IDENTIFIER)) { // Skip JSF resources (CSS/JS/Images/etc)
        resp.setHeader("Cache-Control", "no-cache, no-store, must-revalidate"); // HTTP 1.1.
        resp.setHeader("Pragma", "no-cache"); // HTTP 1.0.
        resp.setDateHeader("Expires", 0); // Proxies.
    }
    chain.doFilter(request, response);
}

private boolean isPublicPage(String url) {
    List<String> urlsPublicas = new ArrayList<String>();
    urlsPublicas.add("/inicio.xhtml");
    urlsPublicas.add("/noAutorizacion.xhtml");
    urlsPublicas.add("/usuario/CambioPassword.xhtml");

    return urlsPublicas.contains(url);


}

@Override
public void destroy() {
}

/**
 * logic to accept or reject access to the page, check log in status
 * @return true when authentication is deemed valid
 */
protected abstract boolean isAuth(String reqPage);
}

这是我的 web.xml

<web-app version="2.5" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd">
<filter>
    <description>Customizable Filter</description>
    <filter-name>customFilter</filter-name>
    <filter-class>com.oriuken.autorack.security.LoginFilter</filter-class>
</filter>
<filter-mapping>
    <filter-name>customFilter</filter-name>
    <url-pattern>*.xhtml</url-pattern>                
</filter-mapping>
<error-page>
    <error-code>401</error-code>
    <location>/noAutorizacion.xhtml?faces-redirect=true</location>
</error-page>
<context-param>
    <param-name>javax.faces.PROJECT_STAGE</param-name>
    <param-value>Production</param-value>
</context-param>
<servlet>
    <servlet-name>Faces Servlet</servlet-name>
    <servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
    <load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
    <servlet-name>Faces Servlet</servlet-name>
    <url-pattern>/faces/*</url-pattern>
</servlet-mapping>
<session-config>
    <session-timeout>30</session-timeout>
</session-config>
<welcome-file-list>
    <welcome-file>faces/index.xhtml</welcome-file>
</welcome-file-list>
<context-param>
    <param-name>primefaces.THEME</param-name>
    <param-value>casablanca</param-value>
</context-param>
<context-param>
    <param-name>primefaces.PUSH_SERVER_URL</param-name>
    <param-value>ws://localhost:8088</param-value>
</context-param>
<context-param>
<param-name>javax.faces.DATETIMECONVERTER_DEFAULT_TIMEZONE_IS_SYSTEM_TIMEZONE</param-name>
<param-value>true</param-value>

感谢您提供任何线索!

4

1 回答 1

0

而不是使用

Global.getLoggedUser()

获取一些ThreadLocal我们已经实施的方法来实现相同的目标。

这是一些可能对您有所帮助的代码片段...

public class UserHolder {

private static ThreadLocal<User> userThreadLocal = new ThreadLocal<User>();

private static Log log = LogFactory.getLog(UserHolder.class);

public UserHolder(User user) {
    if (userThreadLocal.get() == null) {
        userThreadLocal.set(user);
        log.debug("User bound to thread " + user.getUsername()); 
    } else {
        log.debug("User already bound to thread " + user.getUsername());
    }
}

public static User getUser() {
    return userThreadLocal.get();
}

public static void setUser(User user) {
        userThreadLocal.set(user);
}

public static void remove() {
    userThreadLocal.remove();
}
}

UserHolder在应用程序过滤后身份验证中,我们通过从会话变量中读取用户来设置用户,例如:

 new UserHolder((User) session.getAttribute("USER_ATTR_KEY"));
 // deliver request to next filter
 chain.doFilter(request, response);
于 2012-08-16T04:28:30.170 回答