【发布时间】:2012-04-12 15:28:48
【问题描述】:
我正在关注@BalusC 对JSF 2.0: How to get the URL that is entered in the browser's address bar 的回答,以限制未登录用户的页面。
过滤器:
public class RestrictPageFilter implements Filter{
FilterConfig fc;
@Override
public void init(FilterConfig filterConfig) throws ServletException {
fc=filterConfig;
}
@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
HttpServletRequest httpreq = (HttpServletRequest) request;
HttpServletResponse httpres = (HttpServletResponse) response;
if (httpreq.getUserPrincipal() == null) {
httpreq.getSession().setAttribute("from", httpreq.getRequestURI());
httpres.sendRedirect("/pages/login.xhtml");
} else {
chain.doFilter(request, response);
}
}
@Override
public void destroy() {
// TODO Auto-generated method stub
}
}
web.xml:
<security-constraint>
<web-resource-collection>
<web-resource-name>Admin pages</web-resource-name>
<url-pattern>/admin/*</url-pattern>
<url-pattern>/restricted/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>ADMIN</role-name>
</auth-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>User pages</web-resource-name>
<url-pattern>/restricted/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>ADMIN</role-name>
<role-name>USER</role-name>
</auth-constraint>
</security-constraint>
<!--login-config>
<auth-method>FORM</auth-method>
<realm-name>jdbc-realm</realm-name>
<form-login-config>
<form-login-page>/pages/login.xhtml</form-login-page>
<form-error-page>/pages/error.xhtml</form-error-page>
</form-login-config>
</login-config-->
<filter>
<filter-name>RestrictPageFilter</filter-name>
<filter-class>gov.denis.chanceryweb5.filter.RestrictPageFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>RestrictPageFilter</filter-name>
<url-pattern>/restricted/*</url-pattern>
</filter-mapping>
glassfish-web.xml
<glassfish-web-app>
<security-role-mapping>
<role-name>ADMIN</role-name>
<group-name>ADMIN</group-name>
</security-role-mapping>
<security-role-mapping>
<role-name>USER</role-name>
<group-name>USER</group-name>
</security-role-mapping>
glassfish gui 控制台中的领域:
访问我的网络应用程序时,在浏览器中我出于某种原因看到了这个?为什么?
【问题讨论】:
-
不知道这是否与“身份验证”有关,但您的过滤器不应映射到所有带有 *.xhtml 的页面(包括索引在内的每个页面都会调用它)。你应该只将它映射到我认为索引不是的受限页面上。
-
所以我应该将
login.xtml移出我想要限制的页面? -
登录页面应该不受安全约束。您的数据库表是什么样的?您已经拥有它们并正在尝试使其适应 GlassFish 中的 JDBCRealm?
-
@Melissaa 是的,您可以根据受限页面的位置将过滤器映射更改为
/restricted/* 之类的内容来完成此操作。 index.xhtml 应该在某个“公共”文件夹中,或者只是在受限文件夹之外。 -
将登录页面移出受限页面。问题依然存在:(
标签: java security jsf jakarta-ee glassfish