How to implement redirect to login-page with Java

2019-02-07 12:36发布

问题:

I'm trying to implement a redirect after login, which means I can't use glassfish built-in form authentication settings anymore that handles such things automatically. So first thing's first, I need to take control over redirecting to a login page when requesting a protected page. As I understand, this is done with a filter. Can this method be combined with security-constraints in web-xml? As it is, my filter is not called at all since glassfish just takes over and throws a basic loginbox at the user and ignores all filters even when no login configuration is set. Basicly, I have not managed to get a filter called before a user has logged in when security constraints are configured in glassfish.

Do I really need to take over security completly manually in a filter for this to work? If that's the case, the implementation seems horrible.

Using glassfish 3.1 with JSF 2 and a custom loginpage logging in manually with request.login.

web.xml.

<?xml version="1.0" encoding="UTF-8"?>
<web-app version="3.0" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd">
    <context-param>
        <param-name>javax.faces.PROJECT_STAGE</param-name>
        <param-value><!--Production-->Development</param-value>
    </context-param>
    <context-param>
        <param-name>com.sun.faces.expressionFactory</param-name>
        <param-value>de.odysseus.el.ExpressionFactoryImpl</param-value>
    </context-param>
    <filter-mapping>
        <filter-name>LoginFilter</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>
    <servlet>
        <servlet-name>Faces Servlet</servlet-name>
        <servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
        <load-on-startup>1</load-on-startup>
    </servlet>
    <servlet-mapping>
        <servlet-name>Faces Servlet</servlet-name>
        <url-pattern>*.jsf</url-pattern>
    </servlet-mapping>
    <filter>
        <filter-name>LoginFilter</filter-name>
        <filter-class>com.xdin.competence.jsf.util.LoginFilter</filter-class>
    </filter>
    <session-config>
        <session-timeout>60</session-timeout>
    </session-config>
    <welcome-file-list>
        <welcome-file>index.jsf</welcome-file>
    </welcome-file-list>
    <!--<error-page>
        <exception-type>javax.faces.application.ViewExpiredException</exception-type>
        <location>/viewExpired.jsf</location>
    </error-page>-->
    <security-constraint>
        <display-name>ManagerArea</display-name>
        <web-resource-collection>
            <web-resource-name>ManagerArea</web-resource-name>
            <description/>
            <url-pattern>/manager/*</url-pattern>
        </web-resource-collection>
        <auth-constraint>
            <description/>
            <role-name>Manager-role</role-name>
            <role-name>Admin-role</role-name>
        </auth-constraint>
    </security-constraint>
    <security-constraint>
        <display-name>EmployeeArea</display-name>
        <web-resource-collection>
            <web-resource-name>EmployeeConstraint</web-resource-name>
            <description/>
            <url-pattern>/user/Overview.jsf</url-pattern>
            <url-pattern>/user/PrepareReport.jsf</url-pattern>
            <url-pattern>/user/Search.jsf</url-pattern>
        </web-resource-collection>
        <auth-constraint>
            <description/>
            <role-name>Employee-role</role-name>
            <role-name>Admin-role</role-name>
            <role-name>Manager-role</role-name>
            <role-name>OKIF-role</role-name>
        </auth-constraint>
    </security-constraint>
    <security-constraint>
        <display-name>AdminArea</display-name>
        <web-resource-collection>
            <web-resource-name>AdminCompetence</web-resource-name>
            <description/>
            <url-pattern>/admin/*</url-pattern>
        </web-resource-collection>
        <auth-constraint>
            <description/>
            <role-name>Admin-role</role-name>
        </auth-constraint>
    </security-constraint>
    <security-constraint>
        <display-name>UserArea</display-name>
        <web-resource-collection>
            <web-resource-name>UserConstraint</web-resource-name>
            <description/>
            <url-pattern>/index.jsf</url-pattern>
            <url-pattern>/template.jsf</url-pattern>
            <url-pattern>/user/UserDetail.jsf</url-pattern>
            <url-pattern>/user/UserInformation.jsf</url-pattern>
            <url-pattern>/print/*</url-pattern>
        </web-resource-collection>
        <auth-constraint>
            <description/>
            <role-name>Employee-role</role-name>
            <role-name>Admin-role</role-name>
            <role-name>Manager-role</role-name>
            <role-name>OKIF-role</role-name>
        </auth-constraint>
    </security-constraint>
    <!--<login-config>
        <auth-method>FORM</auth-method>
        <form-login-config>
            <form-login-page>/login.jsf</form-login-page>
            <form-error-page>/login.jsf</form-error-page>
        </form-login-config>
    </login-config>-->
    <security-role>
        <description/>
        <role-name>Employee-role</role-name>
    </security-role>
    <security-role>
        <description/>
        <role-name>Admin-role</role-name>
    </security-role>
    <security-role>
        <description/>
        <role-name>Manager-role</role-name>
    </security-role>
    <security-role>
        <description/>
        <role-name>OKIF-role</role-name>
    </security-role>
</web-app>

And my filter:

public class LoginFilter implements Filter {

    private FilterConfig filterConfig = null;

    public LoginFilter() {
    } 

    @Override
    public void doFilter(ServletRequest request, ServletResponse response,
                         FilterChain chain)
        throws IOException, ServletException {
        HttpServletRequest req = (HttpServletRequest)request;
        HttpServletResponse res = (HttpServletResponse)response;
        if (req.getUserPrincipal() == null) {
            req.getSession().setAttribute("from", req.getRequestURI());
            res.sendRedirect("/login.jsf");
        } else {
            chain.doFilter(request, response);
        }

    }

    @Override
    public void destroy() { 
    }

    @Override
    public void init(FilterConfig filterConfig) { 
        this.filterConfig = filterConfig;
    }

}

回答1:

In your customized login form, add the following hidden field:

<input type="hidden" name="from" value="#{requestScope['javax.servlet.forward.request_uri']}" />

which you set in JSF as follows

@ManagedProperty(value="#{param.from}")
private String from;

and redirect as follows in login action method

if (from != null) {
    externalContext.redirect(from);
}

No need for a Filter.