1

Currently i want to refactor my project and remove the /faces/ from the urls. Reason is simple, that i want to avoid, that users can "remove" the faces part and see the source of the underlaying xhtml file.

I'm using Shiro for authentication. I'll first describe the prior situation (that worked) and now the new one, that's causing troubles.

Prior Situation:

web.xml:

<servlet-mapping>
    <servlet-name>Faces Servlet</servlet-name>
    <url-pattern>/faces/*</url-pattern>
</servlet-mapping>

shiro.ini

[urls]
/faces/index.xhtml = authc
/faces/pages/** = authc
/faces/templates/** = authc
/faces/resources/** = authc

Current Situation:

web.xml:

<servlet-mapping>
    <servlet-name>Faces Servlet</servlet-name>
    <url-pattern>*.xhtml</url-pattern>
</servlet-mapping>

shiro.ini

[urls]
/index.xhtml = authc
/pages/** = authc
/templates/** = authc
/resources/** = authc

For people that might have still "faces" bookmarks, i added a filter, and doing this:

HttpServletRequest srequest = (HttpServletRequest) request;
HttpServletResponse sresponse = (HttpServletResponse) response;

String url = srequest.getRequestURI().trim();
System.out.println("Filtering url: " + url);

if (url.contains("/faces/")){
        url = url.replace("/faces/", "/");

        System.out.println("Redirecting to: " + url);
        sresponse.setStatus(HttpResponseCodes.SC_MOVED_PERMANENTLY);
        sresponse.sendRedirect(url);
    }else{
        //no filtering required, proceed with chain.
        chain.doFilter(request, response);
    }

Now, when i cleared the cache of the browser, and call http://localhost/project/login.xhtml i receive a huge amount of attempts to find xhtml files inside the various resource folders:

12:27:46,735 INFO [stdout] (http--0.0.0.0-8090-6) Filtering url: /project/resources/css/login.xhtml

12:27:46,737 INFO [stdout] (http--0.0.0.0-8090-6) Filtering url: /project/resources/css/login.xhtml

12:27:46,836 INFO [stdout] (http--0.0.0.0-8090-6) Filtering url: /project/resources/js/login.xhtml

12:27:46,837 INFO [stdout] (http--0.0.0.0-8090-1) Filtering url: /project/resources/js/login.xhtml

...

which is obviously wrong. Switching back to the prior layout, but keeping the redirect filter does not cause any invalid requests.

4

2 回答 2

3

这是因为对 JSF 资源(CSS/JS/图像文件)的请求也被 Shiro 阻止并重定向到login.xhtml. 你有没有注意到登录页面上的所有 CSS/JS/图像都消失了?

您需要将/javax.faces.resource/*请求映射anonshiro.ini.

/javax.faces.resource/** = anon
于 2013-05-21T10:53:27.640 回答
0

我找到了解决方案:

在 Shiro.ini 中,我也更改authc.loginUrl = /faces/login.xhtmlauthc.loginUrl = login.xhtml.

结合规则,/resources/** = authc这现在导致尝试访问资源并重定向到login.xhtml内部资源文件夹的无限循环。

1.) 我现在将 loginUrl 更改为authc.loginUrl = /login.xhtml.

2.)我注意到,以这种方式保护资源不再有意义,因为我也想在不登录的情况下访问样式表和东西。(它适用于之前的版本,因为没有使用/faces/路径访问资源,所以 shiro 无论如何都没有保护它们。)

于 2013-05-21T10:52:45.290 回答