小贝子编程

不能将编程安全性与定制 JSF 登录表单一起使用



我正在尝试这样做:https://stackoverflow.com/a/2207147/494826

<security-constraint>
        <display-name>Amministrazione</display-name>
        <web-resource-collection>
            <web-resource-name>wrcollAdmin</web-resource-name>
            <description/>
            <url-pattern>/*</url-pattern>
        </web-resource-collection>
        <auth-constraint>
            <description/>
            <role-name>admin</role-name>
            <role-name>guest</role-name>
        </auth-constraint>
    </security-constraint>
    <security-constraint>
        <web-resource-collection>
            <web-resource-name>Risorse</web-resource-name>
            <url-pattern>/javax.faces.resource/*</url-pattern>
        </web-resource-collection>
        <!-- No Auth Contraint! -->
    </security-constraint>
    <login-config>
        <auth-method>FORM</auth-method>
        <form-login-config>
            <form-login-page>/login.htm</form-login-page>
            <form-error-page>/loginError.htm</form-error-page>
        </form-login-config>
    </login-config>

我的登录JSF包含:

<h:form id="loginForm">                 
    <div class="inputlabel">
        <h:outputLabel for="j_username" value="Utente:"/>
    </div>
    <div>
        <h:inputText value="#{loginController.username}" id="j_username" size="25" />
    </div>
    <div class="inputlabel">
        <h:outputLabel for="j_password" value="Password:"/>
    </div>
    <div>
        <h:inputText value="#{loginController.password}" id="j_password" size="25" />
    </div>
    <div>
        <h:commandButton action="#{loginController.login}" value="LOGIN" />
    </div>                  
</h:form>
<h:messages styleClass="errors" />
    ...

这里是登录方法:

public void login() throws IOException {
    FacesContext context = FacesContext.getCurrentInstance();
    ExternalContext externalContext = context.getExternalContext();
    HttpServletRequest request = (HttpServletRequest) externalContext.getRequest();
    try {
        log4jLogger.info("LOGIN");
        request.login(username, password);            
        externalContext.redirect("/");
    } catch (ServletException e) {
        log4jLogger.info("DENIED");
        context.addMessage(null, new FacesMessage("Accesso Negato"));        
    }
}

这不起作用,因为表单从不调用login()方法。为什么?我想它的行为是这样的,因为web.xml安全配置。也许它认为loginController(一个命名的@ViewScoped bean)是受保护的资源?

第二个问题更一般。这是实现程序安全性的正确方法吗?

由于登录页面本身也受到安全约束的限制,并且登录不是由j_security_check处理的,因此您需要将登录页面本身添加到允许的资源集合中。

<security-constraint>
    <web-resource-collection>
        <web-resource-name>Risorse</web-resource-name>
        <url-pattern>/javax.faces.resource/*</url-pattern>
        <url-pattern>/login.htm</url-pattern>
    </web-resource-collection>
    <!-- No Auth Contraint! -->
</security-constraint>

相关内容

  • 没有找到相关文章

最新更新


热门标签:

javascript python java c# php android html jquery c++ css ios sql mysql arrays asp.net json python-3.x ruby-on-rails .net sql-server django objective-c excel regex ruby linux ajax iphone xml vba spring asp.net-mvc database wordpress string postgresql wpf windows xcode bash git oracle list vb.net multithreading eclipse algorithm macos powershell visual-studio image forms numpy scala function api selenium