0

可能重复:
JSF HTTP 会话登录

我正在使用 Primefaces 来实现我的 Web 应用程序。在我的实现中,用户可以登录到系统,然后他们可以通过复制该 URL 再次加载重定向页面而无需再次登录。我怎样才能防止这种情况?

这是我的登录逻辑:

public String doLogin() {
    if(username != null  &&
        username.equals("admin") &&
        password != null  &&
        password.equals("admin")) {
        msg = "table?faces-redirect=true";
    } else
        if(user_name.contains(username) &&
            pass_word.contains(password) &&
            !user_name.contains("admin")) {
            msg = "table1?faces-redirect=true";
        }
    }
    return msg;
}
4

2 回答 2

2

如果用户会话没有过期,那么这是 Web 应用程序的正常行为。如果会话已过期,那么您必须确保有一个已登录的用户,并且该用户有权访问他/她在 URL 中使用的页面。您可以使用过滤器来实现此目的。

我假设您的 Web 应用程序位于 Java EE 6 容器上,例如 Tomcat 7 或 GlassFish 3.x:

@WebFilter(filterName = "MyFilter", urlPatterns = {"/*.xhtml"})
public class MyFilter implements Filter {

    public void doFilter(
        ServletRequest request, ServletResponse response, FilterChain chain)
        throws IOException, ServletException {

        //get the request page
        String requestPath = httpServletRequest.getRequestURI();
        if (!requestPath.contains("home.xhtml")) {
            boolean validate = false;
            //getting the session object
            HttpServletRequest httpServletRequest = (HttpServletRequest) request;
            HttpSession session = (HttpSession)httpServletRequest.getSession();
            //check if there is a user logged in your session
            //I'm assuming you save the user object in the session (not the managed bean).
            User user = (User)session.get("LoggedUser");
            if (user != null) {
                //check if the user has rights to access the current page
                //you can omit this part if you only need to check if there is a valid user logged in
                ControlAccess controlAccess = new ControlAccess();
                if (controlAccess.checkUserRights(user, requestPath)) {
                    validate = true;
                    //you can add more logic here, like log the access or similar
                }
            }
            if (!validate) {
                HttpServletResponse httpServletResponse = (HttpServletResponse) response;
                httpServletResponse.sendRedirect(
                    httpServletRequest.getContextPath() + "/home.xhtml");
            }
        }
        chain.doFilter(request, response);
    }
}

您的 ControlAccess 类的一些实现:

public class ControlAccess {

    public ControlAccess() {
    }

    public boolean checkUserRights(User user, String path) {
        UserService userService = new UserService();
        //assuming there is a method to get the right access for the logged users.
        List<String> urlAccess = userService.getURLAccess(user);
        for(String url : urlAccess) {
            if (path.contains(url)) {
                return true;
            }
        }
        return false;
    }
}

在寻找解释这一点的好方法时,我从 BalusC(JSF 专家)那里找到了更好的答案。这是基于 JSF 2 的:

于 2012-10-01T04:31:20.330 回答
0

您可以进行基于表单的身份验证,以保护您的内页不被未经身份验证的用户访问。

您还可以让容器使用 JDBC 领域身份验证为您处理身份验证,如本例所示

于 2012-10-01T05:48:07.727 回答