如何维护页面之间的Web会话？

Question

Glassfish 4.0
Primefaces 5.0
Linux

我正在尝试了解如何保护我的网络应用程序。

我有一个基于表单的登录页面/index.xhtml。我创建了一个JDBC-Realm，用于对其进行身份验证。我认为这称为基本身份验证。我在我的应用程序中的/ admin / *下创建了网页，允许管理员创建用户，然后这些用户将存储在数据库中。

然后，用户将使用基于表单的身份验证登录到/index.xhtml，然后将其重定向到/users/index.xhtml。这是在web.xml中。

我的问题是我不明白如何通过第一页进行会话处理。登录并重定向到/users/index.xhtml后的含义，我不相信我正在保存会话（如果这就是我应该做的）或在下一页中使用它。我不明白如何处理访问第一页之后/ users / *下的其他页面的会话。

这里有一些关于我的配置。

faces-config.xml

<?xml version="1.0" encoding="UTF-8"?>
<faces-config 
    xmlns="http://java.sun.com/xml/ns/javaee" 
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
    http://java.sun.com/xml/ns/javaee/web-facesconfig_2_0.xsd"
    version="2.0">

    <navigation-rule>
        <from-view-id>/index.xhtml</from-view-id>
        <navigation-case>
            <from-action>#{loginController.login}</from-action>
            <from-outcome>success</from-outcome>
            <to-view-id>/users/index.xhtml</to-view-id>
        </navigation-case>
        <navigation-case>
            <from-action>#{loginController.login}</from-action>
            <from-outcome>failure</from-outcome>
            <to-view-id>/index.xhtml</to-view-id>
        </navigation-case>
    </navigation-rule>
</faces-config>  

web.xml

<login-config>
    <auth-method>FORM</auth-method>
    <realm-name>jdbc-realm</realm-name>
    <form-login-config>
        <form-login-page>/login.xhtml</form-login-page>
        <form-error-page>/loginError.xhtml</form-error-page>
    </form-login-config>
</login-config>

<security-constraint>
    <display-name>Admin Pages</display-name>
    <web-resource-collection>
        <web-resource-name>Protected Admin Area</web-resource-name>
        <description/>
        <url-pattern>/admin/*</url-pattern>
        <http-method>GET</http-method>
        <http-method>POST</http-method>
        <http-method>HEAD</http-method>
        <http-method>PUT</http-method>
        <http-method>OPTIONS</http-method>
        <http-method>TRACE</http-method>
        <http-method>DELETE</http-method>
    </web-resource-collection>
    <auth-constraint>
        <description/>
        <role-name>admin</role-name>
    </auth-constraint>
</security-constraint>

<security-constraint>
    <display-name>All Access</display-name>
    <web-resource-collection>
        <web-resource-name>None Protected User Area</web-resource-name>
        <description/>
        <url-pattern>/users/*</url-pattern>
        <http-method>GET</http-method>
        <http-method>POST</http-method>
        <http-method>HEAD</http-method>
        <http-method>PUT</http-method>
        <http-method>OPTIONS</http-method>
        <http-method>TRACE</http-method>
        <http-method>DELETE</http-method>
    </web-resource-collection>
    <auth-constraint>
        <description/>
        <!--role-name>admin</role-name-->
        <role-name>user</role-name>
    </auth-constraint>
</security-constraint>

glassfish-web.xml

<glassfish-web-app>
    <parameter-encoding default-charset="UTF-8"/>

    <security-role-mapping>
        <role-name>admin</role-name>
        <group-name>admin</group-name>
    </security-role-mapping>
    <security-role-mapping>
        <role-name>user</role-name>
        <group-name>user</group-name>
    </security-role-mapping>

</glassfish-web-app>

/index.xhtml

<html
    xmlns="http://www.w3.org/1999/xhtml"
    xmlns:f="http://java.sun.com/jsf/core"
    xmlns:h="http://java.sun.com/jsf/html"
    xmlns:ui="http://java.sun.com/jsf/facelets"
    xmlns:p="http://primefaces.org/ui">
<h:head>
    <ui:insert name="title"/>
</h:head>
<h:body>
    <h:outputStylesheet library="resources" name="css/pnstyle.css"/>
    <f:view contentType="text/html">

    <h:form>
        <p:panel id="panel-signin">
        <p:focus context="panel-signin"/>
        <p:messages id="messages" showDetail="true" autoUpdate="true"
            closeable="true"/>
        <h:panelGrid columns="3">
            <h:outputLabel for="username" value="Username: *"/>
            <p:inputText id="username" required="true" label="Username" 
                    value="#{loginController.username}">
                <f:validateLength minimum="3"/>
            </p:inputText>
            <p:message for="username"/>

            <h:outputLabel for="password" value="Password: *"/>
            <p:password id="password" required="true" label="Password" 
                    value="#{loginController.password}">
            </p:password>
        <p:message for="password"/>
        </h:panelGrid>

        <p:commandButton id="loginButton" value="Login" 
            action="#{loginController.login}"/>
        </p:panel>
    </h:form>
    </f:view>    
</h:body>
</html>

LoginController.java（正在进行中）

@EJB(name="ejb/LoginBean", beanInterface=ILogin.class)
@ManagedBean(name="loginController")
@SessionScoped
public class LoginController {
    private boolean authenticated = false;
    private ILogin ilogin;
    private String username;
    private String password;
    private User user;
    private String originalURL;

    public LoginController() throws IOException {
        FacesContext context = FacesContext.getCurrentInstance();
        ExternalContext externalContext = context.getExternalContext();

        originalURL = (String)
            externalContext.getRequestMap().get(
            RequestDispatcher.FORWARD_REQUEST_URI);

        if (originalURL == null) {
            originalURL = externalContext.getRequestContextPath() +
                "/index.xhtml";
        }
        else {
            String originalQuery = (String)
                externalContext.getRequestMap().get(
                RequestDispatcher.FORWARD_QUERY_STRING);

            if (originalQuery != null) {
                originalURL += "?" + originalQuery;
            }
        }

        try {
            ilogin = (ILogin)
                (new InitialContext()).lookup("java:comp/env/ejb/LoginBean");
        }
        catch (Exception e) {
            e.printStackTrace();
        }
    }

    public String getUsername() {
        return username;
    }

    public void setUsername(String username) {
        this.username = username;
    }

    public String getPassword() {
        return password;
    }

    public void setPassword(String password) {
        this.password = password;
    }

    public boolean isAuthenticated() {
        return authenticated;
    }

    public String login() throws IOException {
        FacesContext context = FacesContext.getCurrentInstance();
        ExternalContext externalContext = context.getExternalContext();
        HttpServletRequest request =
            (HttpServletRequest) externalContext.getRequest();

        try {
            /* If this is the admin, then we authenticate via the 
             * security role, otherwise via the EJB's.
             */
            if (username.equals("admin")) {
                request.login(username, password);

                return "success";
            }
            else {
                /* Authenticate from database. */
                user = ilogin.getUser(username);

                if (user.getPassWord().equals(password)) {
                    authenticated = true;

                    return "success";
                }
            }
        }
        catch (ServletException e) {
            e.printStackTrace();
        }
        catch (Exception e) {
            e.printStackTrace();
        }

        context.addMessage("panel-signin:messages",
            new FacesMessage(FacesMessage.SEVERITY_WARN, "Invalid Login",
                "Username or password is Invalid!"));

        return "failure";
    }

    public void logout() throws IOException {
        ExternalContext externalContext =
            FacesContext.getCurrentInstance().getExternalContext();
        externalContext.invalidateSession();
        externalContext.redirect(externalContext.getRequestContextPath()
            + "/login.xhtml");

        try {
            //request.logout();
        }
        catch (Exception e) {

        }
    }
}