我已经将我的应用程序配置为使用OmniFaces的Extensionless URLs功能,但是由于我启用了安全性,因此web.xml,这些Extensions不会被捕获<security-constraint>。
web.xml
<!-- JSF configuration -->
<context-param>
<param-name>javax.faces.PROJECT_STAGE</param-name>
<param-value>Development</param-value>
</context-param>
<context-param>
<param-name>javax.faces.FACELETS_SKIP_COMMENTS</param-name>
<param-value>true</param-value>
</context-param>
<context-param>
<param-name>javax.faces.INTERPRET_EMPTY_STRING_SUBMITTED_VALUES_AS_NULL</param-name>
<param-value>true</param-value>
</context-param>
<!-- OmniFaces configuration -->
<context-param>
<param-name>org.omnifaces.FACES_VIEWS_SCAN_PATHS</param-name>
<param-value>/*.xhtml</param-value>
</context-param>
<!-- Servlets and filters. -->
<servlet>
<servlet-name>facesServlet</servlet-name>
<servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>facesServlet</servlet-name>
<url-pattern>*.xhtml</url-pattern>
</servlet-mapping>
<!-- Welcome files, error pages and mime types. -->
<welcome-file-list>
<welcome-file>index.xhtml</welcome-file>
</welcome-file-list>
<!-- Security constraints -->
<security-constraint>
<web-resource-collection>
<web-resource-name>Allowed resources</web-resource-name>
<url-pattern>/javax.faces.resource/*</url-pattern>
</web-resource-collection>
</security-constraint>
<security-constraint>
<display-name>SSL transport</display-name>
<web-resource-collection>
<web-resource-name>Secure Area</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>ADMINISTRATOR</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<!-- Security roles -->
<security-role>
<role-name>ADMINISTRATOR</role-name>
</security-role>
<!-- Login config -->
<login-config>
<auth-method>FORM</auth-method>
<realm-name>myRealm</realm-name>
<form-login-config>
<form-login-page>/login.xhtml</form-login-page>
<form-error-page>/login.xhtml</form-error-page>
</form-login-config>
</login-config>
login.xhtml
<h:form>
<h:panelGrid columns="1">
<h:outputText value="Username:" />
<h:inputText id="username" required="true"
value="#{appSession.loginUsername}"
requiredMessage="Username is required" />
<h:message for="username" />
<hr />
<h:outputText value="Password:" />
<h:inputSecret id="password" required="true"
value="#{appSession.loginPassword}"
requiredMessage="Password is required" />
<h:message for="password" />
<h:commandButton value="Login" action="#{appSession.login}" />
</h:panelGrid>
<h:messages globalOnly="true" showDetail="false" />
</h:form>
AppSession.java
@SessionScoped
@ManagedBean
public class AppSession {
private String loginUsername;
private String loginPassword;
public AppSession() { }
public String login() {
try {
Faces.login(loginUsername, loginPassword);
return "index.xhtml?faces-redirect=true";
} catch (ServletException e) {
e.printStackTrace();
return "login.xhtml";
}
}
public void logout() throws IOException {
Faces.invalidateSession();
Faces.redirect("index.xhtml");
}
//Getters and setters
}
因此,如果我浏览到index.xhtml,它将正确重定向到login。但是,如果我浏览到该目录index,则没有重定向,并且允许浏览器从中下载内容index。我知道这正是web.xml由中指定的<url-pattern>*.xhtml</url-pattern>,但是我如何配置应用程序,以便无扩展名的URL也受登录限制?
如果我使用<url-pattern>/*</url-pattern>under尝试此操作<security-constraint>,它将成功重定向,但是在这种情况下,我的登录表单不起作用。我必须使用JSF进行程序化登录,因为我想为Web服务重用凭据。有什么想法可以让我得到有效的配置吗?
我在GlassFish 4.1上使用OmniFaces 2.0,Mojarra 2.2.7。
如果添加login并添加login.xhtml到允许的资源,则此问题已解决:
<web-resource-collection>
<web-resource-name>Allowed resources</web-resource-name>
<url-pattern>/javax.faces.resource/*</url-pattern>
<url-pattern>/login.xhtml</url-pattern>
<url-pattern>/login</url-pattern>
</web-resource-collection>
本文收集自互联网,转载请注明来源。
如有侵权,请联系[email protected] 删除。
我来说两句