1

I am using IceFaces 1.8.2. I want to create a Filter so that people cannot access unauthorized URLs of my application.

I attempted to created a Filter like this:

public class AuthenticationFilter implements Filter {

    private FilterConfig config;

    public void init(FilterConfig filterConfig) throws ServletException {
        this.config=filterConfig;
    }

    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
        HttpServletRequest req=(HttpServletRequest)request;
        HttpServletResponse resp=(HttpServletResponse)response;
        //HttpSession session=req.getSession(true);
        String pageRequested=req.getRequestURL().toString();
        System.out.println("Page Requested="+pageRequested);

        HttpSession session = req.getSession(false);
        if (!session.isNew()) {
          if(ManageCustomerMbeans.AUTH_KEY!=null){
            System.out.println(":::::::::::::::::::::::::Login Authenticate");
            chain.doFilter(req, resp);
          }
        }
        else {
            System.out.println("::::::::::::::::::::::::::Not Authenticate");
          //Session has expired - redirect to login.jsp
        }
    }

    public void destroy() {

    }

}

But the result is that the restricted page still shows if I type in its URL. If I block the other page like this:

if (!(pageRequested.contains("Login.jsp")&&session.getAttribute(ManageCustomerMbeans.AUTH_KEY)==null)) {
    System.out.println("Filter Error!!!");
    resp.sendRedirect("./error");
} else {
    chain.doFilter(request, response);
}

nothing happend too.

How do I properly create a Filter for an IceFaces based web application?

************UPDATE**************

After correction from Mr. BalusC, i do many correction in my Filter class plus a little tweak because iam using icefaces 1.8.2..this is my correction and it works:

public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {

        HttpServletRequest req=(HttpServletRequest)request;
        HttpServletResponse resp=(HttpServletResponse)response;
        HttpSession session = req.getSession(false);
        String pageRequested=req.getRequestURL().toString();

        String resources="resources/";
        String xmlhttp="xmlhttp/";
        String kaptcha="kaptcha.jpg";
        String block="block/";
        if(pageRequested.contains("login")||pageRequested.contains(resources)
                ||pageRequested.contains(block)||pageRequested.contains(xmlhttp)
                ||pageRequested.contains(kaptcha)||pageRequested.contains("error")
                ||pageRequested.contains("logout")||pageRequested.contains("lsuccess")){

            chain.doFilter(req, resp);
        }else{

            if (session != null && session.getAttribute(ManageUsersMBeans.AUTH_KEY) != null) {

            chain.doFilter(req, resp);
            } else {

                resp.sendRedirect(req.getContextPath() + "/error");
            }
        }



    }

and in web.xml:

    <filter>
        <filter-name>AuthenticationFilter</filter-name>
        <filter-class>com.do.tools.util.AuthenticationFilter</filter-class>
    </filter>

    <filter-mapping>
        <filter-name>AuthenticationFilter</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>

Thanks

4

2 回答 2

3

如果过滤器根本没有被调用,即该doFilter()方法从未被执行,那么过滤器映射是完全错误的。您需要验证<filter-mapping>in web.xml。它必须映射到<servlet-name>FacesServlet覆盖<url-pattern>受限页面,例如/app/*/secured/*等,具体取决于您的文件夹结构。

如果确实调用了过滤器,那么您的代码逻辑流程是完全错误的。让我们看看您的第一次尝试:

HttpSession session = req.getSession(false);

if (!session.isNew()) {
  if(ManageCustomerMbeans.AUTH_KEY!=null){
    chain.doFilter(req, resp);
  }
} else {
  //Session has expired - redirect to login.jsp
}

这个流程显然是错误的。首先,您正在获得会话,false这意味着它可能会返回null,但您永远不会检查它。然后,您正在检查是否最近创建了会话,如果返回非空会话,则永远不可能。因此,始终输入第一个块。然后你正在检查一个常量值是否不为空,但这永远不可能,因为它显然是一个常量。所以,你总是调用。假设该常量表示属性键,则需要改写如下:truegetSession(false)iffalsechain.doFilter()

HttpSession session = req.getSession(false);

if (session != null && session.getAttribute(ManageCustomerMbeans.AUTH_KEY) != null) {
    chain.doFilter(req, resp);
} else {
    resp.sendRedirect(req.getContextPath() + "/login.jsp");
}

这将检查会话是否不为空并包含登录用户。如果为真,则继续请求,否则重定向到登录页面。您只需要确保登录页面与过滤器的映射不匹配,否则您需要if在请求 URI 的块中添加额外的检查。

您的第二次尝试也是错误的:

if (!(pageRequested.contains("Login.jsp")&&session.getAttribute(ManageCustomerMbeans.AUTH_KEY)==null)) {
    resp.sendRedirect("./error");
} else {
    chain.doFilter(request, response);
}

如果用户没有进入登录页面,这将始终重定向到错误页面。如果用户在未登录的情况下进入登录页面,这只会继续请求。这种逻辑毫无意义。但如果你说“不行”,那只能说明过滤器映射错了。

于 2011-11-28T11:25:53.433 回答
0

如果您想限制对 url 的未经授权的访问,最好的方法是使用Servlets Security.

一些链接:

保护容器

下面是一个示例,它只允许管理员访问受保护的页面。

<security-constraint>

      <web-resource-collection>

          <web-resource-name>secured</web-resource-name>

          <url-pattern>/secured/*</url-pattern>

          <http-method>GET</http-method>

          <http-method>POST</http-method>

     </web-resource-collection>

     <auth-constraint>

          <role-name>Manager</role-name>

     </auth-constraint>

    <user-data-constraint>

         <transport-guarantee>CONFIDENTIAL</transport-guarantee>

    </user-data-constraint>

</security-constraint>

<security-constraint>

    <web-resource-collection>

         <web-resource-name>unsecured</web-resource-name>

               <url-pattern>/unsecured/*</url-pattern>

               <http-method>GET</http-method>

               <http-method>POST</http-method>

        </web-resource-collection>

        <auth-constraint>

               <role-name>*</role-name>

         </auth-constraint>

</security-constraint>
于 2011-11-28T07:16:24.520 回答