我正在使用JSF制作应用程序,如果用户未登录,请使用@WebFilter将用户从每个页面(不包括login / register.xhtml)重定向到login.xhtml。问题是重定向后,我看到的只是空白页。
我认为它正在过滤包括bootstrap.css在内的所有资源,因此我使用了类似的方法:
if (req.getRequestURI().startsWith(req.getContextPath() + ResourceHandler.RESOURCE_IDENTIFIER)) {
chain.doFilter(request, response);
return;
}
但是它什么也没做。
这是我的LoginFilter.java
@WebFilter("*")
public class LoginFilter extends HttpFilter {
@Inject
CurrentSession currentSession;
@Override
protected void doFilter(HttpServletRequest req, HttpServletResponse res, FilterChain chain) throws IOException, ServletException {
String currentPath = req.getContextPath() + req.getServletPath();
if (!userIsLogged()) {
if(!currentPath.equals("/app/register.xhtml") && !currentPath.equals("/app/login.xhtml"))
res.sendRedirect(req.getContextPath() + "/login.xhtml");
}
else
chain.doFilter(req, res);
}
有人可以指导我该添加些什么吗?
我认为您不应该编写自定义过滤器,因为JavaEE具有用于身份验证和授权的内置Security Mechanism。您只需要在WEB-INF/web.xml
文件中进行配置即可。这是一个最小的项目:
样本网络应用├──pom.xml└──src└──主要├──Java├──资源│────messages.properties└──webapp├──页面│├──管理员(仅限管理员)││└──admin.xhtml│├──dashboard.xhtml(适用于所有登录用户)│├──protected.xhtml│└──公开(不受限制的页面)│├──login.xhtml│└──register.xhtml├──资源(不受限制的公共资源)│└──CSS│└──style.css└──WEB-INF├──faces-config.xml├──jboss-web.xml└──web.xml
所有静态资源(图像,样式表等)位于webapp/resources
下。 JSF文件位于webapp/pages/...
下,但这只是一个示例。所需的行为
webapp/pages/public
下的所有内容都是公开的)>webapp/pages/
下的所有其他页面受到保护,并且所有登录的用户都可以使用webapp/pages/admin
下的页面仅可用于管理者。在web.xml中,只需配置以下内容:
<?xml version="1.0" encoding="UTF-8"?> <web-app version="3.1" xmlns="http://xmlns.jcp.org/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd"> <welcome-file-list> <welcome-file>/pages/dashboard.xhtml</welcome-file> </welcome-file-list> <login-config> <auth-method>FORM</auth-method> <realm-name>stackoverflow-auth-realm</realm-name> <form-login-config> <form-login-page>/pages/public/login.xhtml</form-login-page> <form-error-page>/pages/public/login.xhtml?showerror=true</form-error-page> </form-login-config> </login-config> <security-constraint> <display-name>Allowed for admin only</display-name> <web-resource-collection> <web-resource-name>Admin</web-resource-name> <url-pattern>/pages/admin/*</url-pattern> <http-method>GET</http-method> <http-method>POST</http-method> </web-resource-collection> <auth-constraint> <role-name>ADMINISTRATOR</role-name> </auth-constraint> </security-constraint> <security-constraint> <display-name>Unrestricted access</display-name> <web-resource-collection> <web-resource-name>Unrestricted</web-resource-name> <url-pattern>/pages/public/*</url-pattern> <http-method>GET</http-method> <http-method>POST</http-method> </web-resource-collection> <!-- auth-constraint section is missing which means theese resources are available for everyone --> </security-constraint> <security-constraint> <display-name>Allowed for all logged in users</display-name> <web-resource-collection> <web-resource-name>LoggedIn</web-resource-name> <url-pattern>/pages/*</url-pattern> <http-method>GET</http-method> <http-method>POST</http-method> </web-resource-collection> <auth-constraint> <role-name>*</role-name> <!-- Wildcard role-name means authentication is required but theese resources are available for every roles --> </auth-constraint> </security-constraint> <security-role> <role-name>ADMINISTRATOR</role-name> </security-role> <security-role> <role-name>*</role-name> </security-role> <servlet> <servlet-name>FacesServlet</servlet-name> <servlet-class>javax.faces.webapp.FacesServlet</servlet-class> </servlet> <servlet-mapping> <servlet-name>FacesServlet</servlet-name> <url-pattern>*.jsf</url-pattern> </servlet-mapping> <servlet-mapping> <servlet-name>FacesServlet</servlet-name> <url-pattern>*.xhtml</url-pattern> </servlet-mapping> </web-app>
在login.xhtml中有一些要求。
j_security_check
行动j_username
和j_password
,如下所示:<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE html> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:h="http://java.sun.com/jsf/html" xmlns:p="http://primefaces.org/ui" xmlns:ui="http://java.sun.com/jsf/facelets"> <h:body> <div class="login-box"> <ui:fragment rendered="#{param.showerror}"> <div class="text-danger"> <h4>#{msg['login.error']}</h4> </div> </ui:fragment> <form method="post" action="j_security_check"> <p:inputText id="j_username" placeholder="#{msg['login.username']}" required="true" autocomplete="off" requiredMessage="#{msg['login.error.username']}"/> <p:password id="j_password" placeholder="#{msg['login.password']}" required="true" autocomplete="off" requiredMessage="#{msg['login.error.password']}"/> <button><h:outputText value="#{msg['login.submit']}"/></button> </form> </h:body> </html>
假设您有三种不同的用户类型。
login.xhtml
和register.xhtml
否则,该用户将被重定向到登录表单。 webapp/pages
下的所有页面,但webapp/pages/admin
下的页面除外。如果用户尝试访问管理页面,它将得到一个禁止的响应。