java - Primefaces 登录应用程序

Question

Possible Duplicate:
JSF HTTP Session Login

我正在使用 Primefaces 来实现我的 Web 应用程序。在我的实现中，用户可以登录系统，然后他们可以通过复制该 URL 来再次加载重定向的页面，而无需再次登录。我怎样才能防止这种情况发生？

这是我的登录逻辑:

public String doLogin() {
    if(username != null  &&
        username.equals("admin") &&
        password != null  &&
        password.equals("admin")) {
        msg = "table?faces-redirect=true";
    } else
        if(user_name.contains(username) &&
            pass_word.contains(password) &&
            !user_name.contains("admin")) {
            msg = "table1?faces-redirect=true";
        }
    }
    return msg;
}

Answer 1

如果用户 session 尚未过期，则这是 Web 应用程序的正常行为。如果 session 已过期，则您必须确保有已登录的用户，并且该用户有权访问他/她在 URL 中使用的页面。您可以使用过滤器来实现此目的。

我假设您的 Web 应用程序位于 Tomcat 7 或 GlassFish 3.x 等 Java EE 6 容器上:

@WebFilter(filterName = "MyFilter", urlPatterns = {"/*.xhtml"})
public class MyFilter implements Filter {

    public void doFilter(
        ServletRequest request, ServletResponse response, FilterChain chain)
        throws IOException, ServletException {

        //get the request page
        String requestPath = httpServletRequest.getRequestURI();
        if (!requestPath.contains("home.xhtml")) {
            boolean validate = false;
            //getting the session object
            HttpServletRequest httpServletRequest = (HttpServletRequest) request;
            HttpSession session = (HttpSession)httpServletRequest.getSession();
            //check if there is a user logged in your session
            //I'm assuming you save the user object in the session (not the managed bean).
            User user = (User)session.get("LoggedUser");
            if (user != null) {
                //check if the user has rights to access the current page
                //you can omit this part if you only need to check if there is a valid user logged in
                ControlAccess controlAccess = new ControlAccess();
                if (controlAccess.checkUserRights(user, requestPath)) {
                    validate = true;
                    //you can add more logic here, like log the access or similar
                }
            }
            if (!validate) {
                HttpServletResponse httpServletResponse = (HttpServletResponse) response;
                httpServletResponse.sendRedirect(
                    httpServletRequest.getContextPath() + "/home.xhtml");
            }
        }
        chain.doFilter(request, response);
    }
}

ControlAccess 类的一些实现:

public class ControlAccess {

    public ControlAccess() {
    }

    public boolean checkUserRights(User user, String path) {
        UserService userService = new UserService();
        //assuming there is a method to get the right access for the logged users.
        List<String> urlAccess = userService.getURLAccess(user);
        for(String url : urlAccess) {
            if (path.contains(url)) {
                return true;
            }
        }
        return false;
    }
}

<小时/>

在寻找解释这一问题的好方法时，我从 BalusC(JSF 专家)那里找到了更好的答案。这是基于 JSF 2 的:

• JSF HTTP Session Login