Possible Duplicate:
JSF HTTP Session Login
我正在使用 Primefaces 来实现我的 Web 应用程序。在我的实现中,用户可以登录系统,然后他们可以通过复制该 URL 来再次加载重定向的页面,而无需再次登录。我怎样才能防止这种情况发生?
这是我的登录逻辑:
public String doLogin() {
if(username != null &&
username.equals("admin") &&
password != null &&
password.equals("admin")) {
msg = "table?faces-redirect=true";
} else
if(user_name.contains(username) &&
pass_word.contains(password) &&
!user_name.contains("admin")) {
msg = "table1?faces-redirect=true";
}
}
return msg;
}
最佳答案
如果用户 session 尚未过期,则这是 Web 应用程序的正常行为。如果 session 已过期,则您必须确保有已登录的用户,并且该用户有权访问他/她在 URL 中使用的页面。您可以使用过滤器来实现此目的。
我假设您的 Web 应用程序位于 Tomcat 7 或 GlassFish 3.x 等 Java EE 6 容器上:
@WebFilter(filterName = "MyFilter", urlPatterns = {"/*.xhtml"})
public class MyFilter implements Filter {
public void doFilter(
ServletRequest request, ServletResponse response, FilterChain chain)
throws IOException, ServletException {
//get the request page
String requestPath = httpServletRequest.getRequestURI();
if (!requestPath.contains("home.xhtml")) {
boolean validate = false;
//getting the session object
HttpServletRequest httpServletRequest = (HttpServletRequest) request;
HttpSession session = (HttpSession)httpServletRequest.getSession();
//check if there is a user logged in your session
//I'm assuming you save the user object in the session (not the managed bean).
User user = (User)session.get("LoggedUser");
if (user != null) {
//check if the user has rights to access the current page
//you can omit this part if you only need to check if there is a valid user logged in
ControlAccess controlAccess = new ControlAccess();
if (controlAccess.checkUserRights(user, requestPath)) {
validate = true;
//you can add more logic here, like log the access or similar
}
}
if (!validate) {
HttpServletResponse httpServletResponse = (HttpServletResponse) response;
httpServletResponse.sendRedirect(
httpServletRequest.getContextPath() + "/home.xhtml");
}
}
chain.doFilter(request, response);
}
}
ControlAccess 类的一些实现:
public class ControlAccess {
public ControlAccess() {
}
public boolean checkUserRights(User user, String path) {
UserService userService = new UserService();
//assuming there is a method to get the right access for the logged users.
List<String> urlAccess = userService.getURLAccess(user);
for(String url : urlAccess) {
if (path.contains(url)) {
return true;
}
}
return false;
}
}
<小时/>
在寻找解释这一问题的好方法时,我从 BalusC(JSF 专家)那里找到了更好的答案。这是基于 JSF 2 的:
关于java - Primefaces 登录应用程序,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/12667449/