注销 JSF，在 Glassfish 3 中使用 SSL

发布于 2024-10-31 10:32:52 字数 1501 浏览 2 评论 0原文

我还没有找到这个问题的真正解决方案，即使它确实很常见......

我有这样的上下文：

在 Glassfish Server v3.1、JDK6 上运行的 JSF 应用程序。全部在我的带有 WinVista 的个人计算机上（最后一点应该不重要）。
使用 SSL 和基本身份验证（容器的安全性），
我在支持 bean 中完成了 logout() 方法，使会话无效并发送重定向。

我无法让容器再次显示登录框来验证用户，并且能够更改用户...并且我的用户始终可以返回，按浏览器中的“后退”按钮或仅写入 URL，然后继续执行操作thnigs 那里应该不应该有现有的会话。

我正在获取创建我的支持 bean 的用户的名称：

private void setName() {
    this.name = FacesContext.getCurrentInstance().getExternalContext().getUserPrincipal().getName();

}

并且我使用此名称来执行操作...

然后对于注销，我的 xhtml 具有代码：

        <h:panelGroup id="logOut">
        <h:form>
            <h:commandLink id="linkLogOut" action="#{visitor.logout}" value="  Clic here to Log Out" />
        </h:form>
    </h:panelGroup>

在我的 bean 中调用此方法::

public void logout() throws IOException {
   // FacesContext.getCurrentInstance().getExternalContext().invalidateSession();
    this.name = null;
    FacesContext fc = FacesContext.getCurrentInstance();
    HttpSession session = (HttpSession)fc.getExternalContext().getSession(false);
    session.invalidate();
FacesContext.getCurrentInstance().getExternalContext().redirect("https://localhost:8080/");
}

我正在声明我的支持 bean与：

@Named(value="visitor")
@SessionScoped

...我还从部署描述符进行重定向...并且它是相同的。

如果我关闭浏览器，会话就会丢失，容器会再次询问我用户/密码。

有什么建议吗？

多谢！

亚历杭德罗.

原文

I havent found a real solution for this problem, even when it is really common...

I have this context:

JSF application running on Glassfish Server v3.1, JDK6. All in my personal computer with WinVista (This last should not be important).
Using SSL and Basic authentication (Security of the container)
I have done my logout() method in my backing bean invalidating the session and sending a redirect.

I can not make the container show again the Login box to validate the user, and be able to change of user... And my user always can go back, pressing the BACK button in the browser or just writing the URL, and continue doing thnigs there when is supposed that there should not be a existing session.

I am getting the name of the user the my backing bean is created:

private void setName() {
    this.name = FacesContext.getCurrentInstance().getExternalContext().getUserPrincipal().getName();

}

And I use this name to perform operations...

Then for logout my xhtml has the code:

        <h:panelGroup id="logOut">
        <h:form>
            <h:commandLink id="linkLogOut" action="#{visitor.logout}" value="  Clic here to Log Out" />
        </h:form>
    </h:panelGroup>

That calls this method in my bean::

public void logout() throws IOException {
   // FacesContext.getCurrentInstance().getExternalContext().invalidateSession();
    this.name = null;
    FacesContext fc = FacesContext.getCurrentInstance();
    HttpSession session = (HttpSession)fc.getExternalContext().getSession(false);
    session.invalidate();
FacesContext.getCurrentInstance().getExternalContext().redirect("https://localhost:8080/");
}

I am declaring my backing bean with:

@Named(value="visitor")
@SessionScoped

...Also I was doing the redirect from the the deployment descriptor... and it was the same.

If I close the browser the the session is lost and the container ask me again for user/pass.

Any suggestions?

Thanks a lot!

Alejandro.

分享到QQ

分享到微博

如果你对这篇内容有疑问，欢迎到本站社区发帖提问参与讨论，获取更多帮助，或者扫码二维码加入 Web 技术交流群。

发布评论

需要登录才能够评论，你可以免费注册一个本站的账号。

一身软味 2024-11-07 10:32:52

我无法使容器再次显示登录框来验证用户，并能够更改用户...并且我的用户总是可以返回，按浏览器中的“后退”按钮或只是写入URL，并在假设不应该存在现有会话时继续在那里执行操作。

这些页面可能会从浏览器缓存中显示，而不是从服务器重新请求。要阻止这种情况，请创建一个 Filter< /a> 映射到感兴趣的 URL 模式（*.jsf 也许？），并在 doFilter() 方法中执行以下工作：

HttpServletResponse httpResponse = (HttpServletResponse) response;
httpResponse.setHeader("Cache-Control", "no-cache,no-store,must-revalidate"); // HTTP 1.1
httpResponse.setHeader("Pragma", "no-cache"); // HTTP 1.0
httpResponse.setDateHeader("Expires", 0); // Proxies.
chain.doFilter(request, response);

在测试之前清除浏览器缓存。

I can not make the container show again the Login box to validate the user, and be able to change of user... And my user always can go back, pressing the BACK button in the browser or just writing the URL, and continue doing thnigs there when is supposed that there should not be a existing session.

Those pages are likely displayed from the browser cache rather than re-requested from the server. To stop this, create a Filter which is mapped on URL pattern of interest (*.jsf maybe?) and does the following job in doFilter() method:

HttpServletResponse httpResponse = (HttpServletResponse) response;
httpResponse.setHeader("Cache-Control", "no-cache,no-store,must-revalidate"); // HTTP 1.1
httpResponse.setHeader("Pragma", "no-cache"); // HTTP 1.0
httpResponse.setDateHeader("Expires", 0); // Proxies.
chain.doFilter(request, response);

Clear the browser cache before testing.

回复收藏 0 原文

谁与争疯 2024-11-07 10:32:52

非常感谢您的所有回答。

我请了几天假……没有回复这个帖子。

我只是想分享我的解决方案。

基本身份验证绑定到浏览器，一旦您完成登录，应该关闭浏览器以完成注销......这不是那么优雅。

我更改为 FORM 身份验证，创建表单，并将用户信息发布到 servlet，该 servlet 根据我的领域验证用户凭据，并且该 servlet 将用户重定向到应用程序或错误页面。显然，必须在 web.xml 中进行正确的安全约束配置。

我在这里分享我的解决方案：

登录页面：

<!-- This is the login page that implement the "Form Base" login -->
<html xmlns="http://www.w3.org/1999/xhtml"
  xmlns:h="http://java.sun.com/jsf/html">
<h:head>
    <title>Login Form</title>
</h:head>
<h:body>
    <h2>Welcome to the secure messaging service!:</h2>
    <form name="loginForm" method="POST" action="j_security_check">
        <p><strong>Please type your user name: </strong>
            <input type="text" name="j_username" size="25" /></p>
        <p><strong>Please type your password: </strong>
            <input type="password" size="15" name="j_password" /></p>
        <p>
            <input type="submit" value="Submit"/>
            <input type="reset" value="Reset"/>
        </p>
    </form>
</h:body>

我的验证 servlet 方法：

protected void processRequest(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
try {
        String username;
        String password;
        username = request.getParameter("j_username").toString();
        password = request.getParameter("j_password").toString();
        request.login(username, password);
        response.sendRedirect("/SecureMessageWebInterface/");
    } catch (Exception e) {
        response.sendRedirect("error.xhtml");
    }           
}

以及配置文件的必需部分......

<security-constraint>
    <display-name>Web Interface</display-name>
    <web-resource-collection>
        <web-resource-name>SSL Pages</web-resource-name>
        <description/>
        <url-pattern>/</url-pattern>
    </web-resource-collection>
    <auth-constraint>
        <description>All site is restricted</description>
        <role-name>user</role-name>
    </auth-constraint>
    <user-data-constraint>
        <description>Secure connection is required</description>
        <transport-guarantee>CONFIDENTIAL</transport-guarantee>
    </user-data-constraint>
</security-constraint>
<login-config>
    <auth-method>FORM</auth-method>
    <realm-name>webapps</realm-name>
    <form-login-config>
        <form-login-page>/login.xhtml</form-login-page>
        <form-error-page>/error.xhtml</form-error-page>
    </form-login-config>
</login-config>

我希望这对其他人有用。

一切顺利，

亚历杭德罗。

Thank you so much for all your answers.

I took some days off... and did not reply this thread.

I just want to share my solution.

Basic authentication is bound to the browser, and once you have done login, should should close the browser to finish the logoff... what is not so elegant.

I changed to FORM authentication, creating my form, and posting the user information to a servlet who validates the user credentials against my realm, and this servlet redirect the user to either the application or to an error page. Obviously the proper configuration ifor security-constrain in web.xml have to be done.

I am sharing my solution here:

<!-- This is the login page that implement the "Form Base" login -->
<html xmlns="http://www.w3.org/1999/xhtml"
  xmlns:h="http://java.sun.com/jsf/html">
<h:head>
    <title>Login Form</title>
</h:head>
<h:body>
    <h2>Welcome to the secure messaging service!:</h2>
    <form name="loginForm" method="POST" action="j_security_check">
        <p><strong>Please type your user name: </strong>
            <input type="text" name="j_username" size="25" /></p>
        <p><strong>Please type your password: </strong>
            <input type="password" size="15" name="j_password" /></p>
        <p>
            <input type="submit" value="Submit"/>
            <input type="reset" value="Reset"/>
        </p>
    </form>
</h:body>

My validation servlet method:

protected void processRequest(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
try {
        String username;
        String password;
        username = request.getParameter("j_username").toString();
        password = request.getParameter("j_password").toString();
        request.login(username, password);
        response.sendRedirect("/SecureMessageWebInterface/");
    } catch (Exception e) {
        response.sendRedirect("error.xhtml");
    }           
}

And the required part of the configuration file....

<security-constraint>
    <display-name>Web Interface</display-name>
    <web-resource-collection>
        <web-resource-name>SSL Pages</web-resource-name>
        <description/>
        <url-pattern>/</url-pattern>
    </web-resource-collection>
    <auth-constraint>
        <description>All site is restricted</description>
        <role-name>user</role-name>
    </auth-constraint>
    <user-data-constraint>
        <description>Secure connection is required</description>
        <transport-guarantee>CONFIDENTIAL</transport-guarantee>
    </user-data-constraint>
</security-constraint>
<login-config>
    <auth-method>FORM</auth-method>
    <realm-name>webapps</realm-name>
    <form-login-config>
        <form-login-page>/login.xhtml</form-login-page>
        <form-error-page>/error.xhtml</form-error-page>
    </form-login-config>
</login-config>

I hope this can be useful for someone else.

All the best,

Alejandro.

回复收藏 0 原文

~没有更多了~