本文介绍了使用的PhaseListener,而不是授权一个Servlet过滤器的局限性的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我目前使用的是的PhaseListener 下面来执行用户授权。

I'm currently using a PhaseListener as below to perform user authorization.

private PhaseId phaseId = PhaseId.RESTORE_VIEW;

@Override
public void afterPhase(PhaseEvent event) {

    FacesContext fc = event.getFacesContext();
    boolean isOnAllowedPage = false;
    String[] allowedPages = choseRightPages(); // chose pages for role

    for (String s : allowedPages) {
        if (fc.getViewRoot().getViewId().lastIndexOf(s) > -1) {
            isOnAllowedPage = true;
            break;
        }
    }

    if (!isOnAllowedPage) {
        NavigationHandler nh = fc.getApplication().getNavigationHandler();
        nh.handleNavigation(fc, null, "prohibited");
    }
}

据我想要做什么,但是我没有看到它在How办理认证/授权与用户数据库中的并的还提到了下面的使用PhaseListener在授权问题:

It does what I want, however I don't see it being listed in How to handle authentication/authorization with users in a database? and this Coderanch topic titled "authorization with phaselistener problem" also mentions the following:

您不应该对夫妇的授权,紧缩与JSF。更好地利用容器管理的认证和/或作用于URL模式覆盖保护的页面的简单过滤器。

我不明白究竟使用的PhaseListener ,而不是过滤器表演时用户授权的限制。有人可以解释给我吗?

I don't exactly understand the limitations of using a PhaseListener instead of a Filter when performing user authorization. Can someone explain it to me?

推荐答案

A 的PhaseListener 仅在JSF请求发射(即它调用的<$ C HTTP请求$ C> FacesServlet的)。执行一个非JSF请求时,它不会触发,从而暴露了非JSF请求一个潜在的安全漏洞。一个servlet 过滤器可以在每一个HTTP请求的目标servlet的解雇,而不管。

A PhaseListener is only fired on a JSF request (i.e. a HTTP request which invoked the FacesServlet). It's not fired when a non-JSF request is executed and thus exposes a potential security leak on non-JSF requests. A servlet Filter can be fired on every single HTTP request, regardless of the target servlet.

在换句话说:HTTP请求授权,不应该连接到具有的FacesContext 可用,但对的ServletRequest 可用。应尽量将授权低级别成为可能。

In other words: HTTP request authorization should not be tied to having the FacesContext available, but to the ServletRequest available. Always try to authorize as "low level" as possible.

这篇关于使用的PhaseListener,而不是授权一个Servlet过滤器的局限性的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!

06-25 10:19