我已经设置了我的web.xml拒绝访问我的网站内的某些页面,并将用户重定向到登录页面,如果他们还没有登录。我已经定义了一个简单的角色USER,它看起来像这样:
<security-constraint>
<web-resource-collection>
<web-resource-name>mis</web-resource-name>
<url-pattern>/secure/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>USER</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<realm-name>file</realm-name>
<form-login-config>
<form-login-page>/signin.xhtml</form-login-page>
<form-error-page>/error.xhtml</form-error-page>
</form-login-config>
</login-config>
<security-role>
<role-name>USER</role-name>
</security-role>
在我的signing.xhtml页面中,我想手动检查用户的凭据(我们使用反向代理注入的标头来处理实际的安全性),然后根据某些条件将用户分配到特定的角色。
是否有一种方法可以以编程方式分配当前用户和用户拥有的角色?或者我必须使用JBOSS/Glassfish用户设置吗?
似乎最好的方法是不使用security-constraints,而是使用filter选项。首先创建一个实现javax.servlet.Filter和doFilter方法的类:
public class UserRoleFilter implements Filter {
@Override
public void init(FilterConfig cfg) throws ServletException {
}
@Override
public void doFilter(ServletRequest req, ServletResponse response, FilterChain next) throws IOException, ServletException {
HttpServletRequest request = (HttpServletRequest) req;
//Manually check that the current user can access pages
//I did that by storing stuff in the session which you can access by
//request.getSession().getAttribute(someKey);
if(!userHasAccessToRestrictedPages) {
HttpServletResponse r = (HttpServletResponse) response;
r.sendRedirect(request.getContextPath() + "/signin.xhtml");
return;
}
next.doFilter(req, response);
}
@Override
public void destroy() {
}
}
然后在web.xml文件中删除security-constraints, login-config和security-role并替换为(其中filter-class指的是上面的类):
<filter>
<filter-name>UserRoleFilter</filter-name>
<filter-class>security.UserRoleFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>UserRoleFilter</filter-name>
<url-pattern>/secure/*</url-pattern>
</filter-mapping>
应该可以了