发表新帖
发表新帖

Restricting users from accessing pages by directly changing the URL in JSF

后端 未结
关注
4 776
悲&欢浪女
悲&欢浪女 2021-02-09 04:26

I have two kinds of users in my application - clients and sellers. I am using a PhaseListener in JSF to prevent users from accessing pages without logging in, but a

相关标签:
4条回答
  • 一整个雨季
    2021-02-09 05:07

    Use Filter for this. Create class which implements javax.servlet.Filter interface and in doFilter() method check the role of user and if the user doesn't have role redirect him to some custom page. In web.xml add definition and mapping for this filter:

    <filter>
  <filter-name>MyFilter</filter-name>
  <filter-class>mypackage.MyFilter</filter-class>
</filter>

<filter-mapping>
  <filter-name>MyFilter</filter-name>
  <url-pattern>*.xhtml</url-pattern>
</filter-mapping>
    0 讨论(0)
  • 北海茫月
    2021-02-09 05:16

    You need to validate those parameters that ate causing error on your page when visiting directly . You can do it in prerenderview event in jsf2 or in a post construct method in jsf1.2

    0 讨论(0)
  • 無奈伤痛
    2021-02-09 05:22

    Assign the user a group/role and check on that as well inside your phase listener (which could technically better be a simple servlet filter, after all, a phase listener is under the covers namely quite clumsy for the simple purpose and doesn't run on non-JSF URLs).

    E.g., allow URLs starting with /seller/ to be accessed only by users having a role of SELLER:

    if (url.startsWith("/seller/") && user.getRoles().contains(Role.SELLER)) {
    // Allow access.
} else {
    // Block access.
}

    Note that this functionality is provided/builtin in many authentication frameworks, such as Java EE builtin container managed authentication and the 3rd party library Apache Shiro. All you need is then a simple web.xml configuration entry <security-constraint> or some configuration file such as an INI file in Shiro.

    See also:

    • Protected URLs leaking unprotected components of the webapge to unauthenticated users
    • JSF: How control access and rights in JSF?
    • JSF2 + Apache Shiro tutorial
    0 讨论(0)
  • 無奈伤痛
    2021-02-09 05:28

    You could use a file or something where you map every page with a userrole.(some pages might be accessible by more then 1 userrole example:

    <entry key="acl_page_sub/page1">client,seller</entry>
<entry key="acl_page_sub2/page1">client</entry>
<entry key="acl_page_sub2/page2">seller</entry>

    And you define some sort of LoginController class where you check currentuserrole and requested page (url) against that list. And if not granted then redirect to custom error page or login page or whatever.

    You add this logincontroller class a phaselistener to your facesconfig.

    0 讨论(0)
 看不清?
提交回复
热议问题