0

我有一个安装了 spring security 的 JSF 项目,我使用 forward 方法进行登录。但我无法将页面重定向到 AuthenticationBean.java 中的secured.xhtml。似乎“forward()”方法会导致这种情况。但是身份验证无一例外地成功完成,我只是无法重定向页面。如果没有 forward 方法,我可以成功地重定向页面。那么,救命?

网页.xml:

<?xml version="1.0" encoding="UTF-8"?>
<web-app version="3.0" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd">
    <context-param>
        <param-name>javax.faces.PROJECT_STAGE</param-name>
        <param-value>Development</param-value>
    </context-param>

    <servlet>
        <servlet-name>Faces Servlet</servlet-name>
        <servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
        <load-on-startup>1</load-on-startup>
    </servlet>

    <servlet-mapping>
        <servlet-name>Faces Servlet</servlet-name>
        <url-pattern>*.xhtml</url-pattern>
    </servlet-mapping>

    <session-config>
        <session-timeout>
            30
        </session-timeout>
    </session-config>

    <welcome-file-list>
        <welcome-file>index.xhtml</welcome-file>
    </welcome-file-list>

    <filter>
        <filter-name>springSecurityFilterChain</filter-name>
        <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
    </filter>

    <filter-mapping>
        <filter-name>springSecurityFilterChain</filter-name>
        <url-pattern>/*</url-pattern>
        <dispatcher>REQUEST</dispatcher>
        <dispatcher>FORWARD</dispatcher>
    </filter-mapping>

    <context-param>
        <param-name>contextConfigLocation</param-name>
        <param-value>
            /WEB-INF/spring-security.xml
        </param-value>
    </context-param>

    <listener>
        <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
    </listener>
</web-app>

弹簧安全.xml

<?xml version="1.0" encoding="UTF-8"?>
<beans 
        xmlns="http://www.springframework.org/schema/beans"
        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
        xmlns:security="http://www.springframework.org/schema/security"
        xsi:schemaLocation="http://www.springframework.org/schema/beans
        http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
        http://www.springframework.org/schema/security
        http://www.springframework.org/schema/security/spring-security-3.1.xsd">

<security:http auto-config="true" use-expressions="true" access-denied-page="/denied.xhtml">

    <security:intercept-url pattern="/login.xhtml" access="permitAll"/>
    <security:intercept-url pattern="/secured.xhtml" access="hasRole('ROLE_ADMIN')"/>

    <security:form-login
    login-page="/login.xhtml"
    authentication-failure-url="/login.xhtml?error=true"
    default-target-url="/"/>

    <security:logout
    invalidate-session="true"
    logout-success-url="/index.xhtml"
    logout-url="/logout.xhtml"/>

</security:http>

<security:authentication-manager>
    <security:authentication-provider user-service-ref="customUserDetailsService">
    <security:password-encoder ref="passwordEncoder"/>
    </security:authentication-provider>
</security:authentication-manager>

<bean class="org.springframework.security.authentication.encoding.Md5PasswordEncoder" id="passwordEncoder"/>

   <bean id="customUserDetailsService" class="com.triune.services.CustomUserDetailsService"/>

</beans>

CustomUserDetailService.java(从不调用)

package com.triune.services;

import java.util.ArrayList;
import java.util.Collection;
import java.util.List;

import com.triune.dao.UserDAO;
import com.triune.entities.LoginCredential;
import org.springframework.dao.DataAccessException;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.transaction.annotation.Transactional;

@Transactional(readOnly = true)
public class CustomUserDetailsService implements UserDetailsService {

    private UserDAO userDAO = new UserDAO();
    @Override
    public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException, DataAccessException 
    {
        UserDetails user = null;

        try
        {
            LoginCredential dbUser = userDAO.searchDatabase(username);

            user =  new User(
                dbUser.getUsername(),
                dbUser.getPassword().toLowerCase(),
                true,
                true,
                true,
                true,
                getAuthorities(dbUser.getAccess()) 
            );
        }
        catch (Exception e) 
        {
            throw new UsernameNotFoundException("Error in retrieving user");
        }       
        return user;
    }

    public Collection<GrantedAuthority> getAuthorities(Integer access) 
    {
        List<GrantedAuthority> authList = new ArrayList<GrantedAuthority>(2);

        authList.add(new SimpleGrantedAuthority("ROLE_USER"));

        if ( access.compareTo(1) == 0) 
        {
            authList.add(new SimpleGrantedAuthority("ROLE_ADMIN"));
        }

        return authList;
    }
}

AuthenticationBean.java(由登录页面调用)

package com.triune.beans;

import java.io.IOException;
import java.io.Serializable;
import javax.enterprise.context.SessionScoped;
import javax.faces.context.ExternalContext;
import javax.faces.context.FacesContext;
import javax.inject.Named;
import javax.servlet.RequestDispatcher;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;

@Named("authenticationBean")
@SessionScoped
public class AuthenticationBean implements Serializable
{
    public String doLogin() throws IOException, ServletException
    {
        ExternalContext context = FacesContext.getCurrentInstance().getExternalContext();
        RequestDispatcher dispatcher = ((ServletRequest)context.getRequest()).getRequestDispatcher("j_spring_security_check");
        dispatcher.forward((ServletRequest)context.getRequest(), (ServletResponse)context.getResponse());
        FacesContext.getCurrentInstance().responseComplete();
        return "secured.xhtml";
    }

    public String doLogout()
    {
        FacesContext.getCurrentInstance().getExternalContext().invalidateSession();
        return "index.xhtml";
    }
}

login.xhtml(简单登录页面)

<?xml version='1.0' encoding='UTF-8' ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
      xmlns:h="http://java.sun.com/jsf/html"
      xmlns:p="http://primefaces.org/ui">
    <h:head>
        <title>Login Page</title>
    </h:head>
    <h:body>
        <h1>Login Please</h1>
        <p>This is a really simple login page.</p>
        <h:form id="loginForm" prependId="false">
            <h:panelGroup>
                Username : <p:inputText id="j_username" required="true"/>
            </h:panelGroup>
            <br/>
            <h:panelGroup>
                Password : <p:inputText id="j_password" required="true"/>
            </h:panelGroup>
            <br/><br/>
            <h:panelGroup>
                <p:commandButton type="submit" id="login" action="#{authenticationBean.doLogin()}" value="login"/>
            </h:panelGroup>
        </h:form>
    </h:body>
</html>
4

1 回答 1

0

在 JSF 中,当您在操作方法上返回 String 时,默认情况下它会触发转发,而不是重定向(除非您在上面配置了导航规则faces-config.xml并放在<redirect />上面)。

在您的情况下,您可以只redirect()从 ExternalContext 调用,而不是返回一个字符串:

在你的 utils 类中加入这样的方法(或者让你自己OmniFaces):

public static void redirect(String url) throws IOException {
    ExternalContext ctx = FacesContext.getCurrentInstance()
        .getExternalContext();
    if (url.startsWith("http://") || url.startsWith("https://")
            || url.startsWith("/")) {
        ctx.redirect(url);
    } else {
        ctx.redirect(ctx.getRequestContextPath() + "/" + url);
    }
}

并改变你的方法doLogin()

public void doLogin() throws IOException, ServletException
{
    ExternalContext context = FacesContext.getCurrentInstance().getExternalContext();
    RequestDispatcher dispatcher = ((ServletRequest)context.getRequest()).getRequestDispatcher("j_spring_security_check");
    dispatcher.forward((ServletRequest)context.getRequest(), (ServletResponse)context.getResponse());
    FacesContext.getCurrentInstance().responseComplete();
    redirect("secured.xhtml");
}

另请参阅此答案

于 2012-08-16T12:34:32.453 回答