Warning: file_get_contents(/data/phpspider/zhask/data//catemap/9/java/310.json): failed to open stream: No such file or directory in /data/phpspider/zhask/libs/function.php on line 167

Warning: Invalid argument supplied for foreach() in /data/phpspider/zhask/libs/tag.function.php on line 1116

Notice: Undefined index: in /data/phpspider/zhask/libs/function.php on line 180

Warning: array_chunk() expects parameter 1 to be array, null given in /data/phpspider/zhask/libs/function.php on line 181

Warning: file_get_contents(/data/phpspider/zhask/data//catemap/9/extjs/3.json): failed to open stream: No such file or directory in /data/phpspider/zhask/libs/function.php on line 167

Warning: Invalid argument supplied for foreach() in /data/phpspider/zhask/libs/tag.function.php on line 1116

Notice: Undefined index: in /data/phpspider/zhask/libs/function.php on line 180

Warning: array_chunk() expects parameter 1 to be array, null given in /data/phpspider/zhask/libs/function.php on line 181
Java 自定义注释JSF_Java_Jsf_Jsf 2_Annotations_Jaas - Fatal编程技术网
Fatal编程技术网
  • java/
  • Java 自定义注释JSF

Java 自定义注释JSF

java jsf jsf-2

Java 自定义注释JSF,java,jsf,jsf-2,annotations,jaas,Java,Jsf,Jsf 2,Annotations,Jaas,我想做一个自定义注释来检查JSFWeb应用程序某些函数的安全性。为了安全起见,我在JaaS中使用Tomcat安全性,因此我没有应用程序管理的安全性 实际上,我想做的是在SpringSecurity(@Secured(“role”))等支持bean中为我的方法做一个注释。我的安全系统是这样实现的:每个函数都是一个角色,您可以动态地创建“用户角色”,这些角色存储在数据库中,当有人登录时,该“用户角色”中的所有(函数)角色都将在tomcat security中设置为角色 现在我有一段代码来检查我的用户

我想做一个自定义注释来检查JSFWeb应用程序某些函数的安全性。为了安全起见,我在JaaS中使用Tomcat安全性,因此我没有应用程序管理的安全性

实际上,我想做的是在SpringSecurity(@Secured(“role”))等支持bean中为我的方法做一个注释。我的安全系统是这样实现的:每个函数都是一个角色,您可以动态地创建“用户角色”,这些角色存储在数据库中,当有人登录时,该“用户角色”中的所有(函数)角色都将在tomcat security中设置为角色

现在我有一段代码来检查我的用户是否可以访问该功能:

       public static void checkSecurity(final String function) {
    final FacesContext facesContext = FacesContext.getCurrentInstance();
    try {
        if (facesContext.getExternalContext().getRemoteUser() == null) {
            facesContext.getExternalContext().redirect("login.xhtml");
            return;
        }
        if (!facesContext.getExternalContext().isUserInRole(function)) {
            facesContext.getExternalContext().redirect("restricted.xhtml");
            return;
        }
    } catch (final Exception ex /* Mandatory "IOException e" will be caught + all other exceptions. */) {
        facesContext.getExternalContext().setResponseStatus(403); // HTTP Status 403: Forbidden. Can also throw 401.
        facesContext.responseComplete();
    }
}
现在我必须调用这个SecurityUtil.checkSecurity(“函数的名称”);在每种方法中。 但是我想要一个类似@CustomSecurity(“function\u name\u role”)的注释

当方法具有此注释时,必须自动执行checkSecurity功能。所以我必须在某一点上扫描这个注释,或者制作某种actionlistener。JSF对此应该有一些选择,但我在上面找到的所有论坛都没有真正的帮助

有人有什么想法吗

编辑: 我尝试过它,但只对组件的一个操作有效(当您没有角色时,组件不会呈现)。那么,当人们试图入侵JSF结构时,这有多安全呢。我宁愿在每种方法上运行它

        public class SecurityActionListener extends ActionListenerImpl implements ActionListener {

    private static final Logger LOGGER = FacesLogger.APPLICATION.getLogger();

    @SuppressWarnings("unused")
    @Override
    public void processAction(final ActionEvent event) {

        final FacesContext context = FacesContext.getCurrentInstance();
        final Application application = context.getApplication();
        final ConfigurableNavigationHandler navHandler = (ConfigurableNavigationHandler) application.getNavigationHandler();

        // Action stuff
        final UIComponent source = event.getComponent();
        final ActionSource actionSource = (ActionSource) source;
        MethodBinding binding;

        binding = actionSource.getAction();
        final String expr = binding.getExpressionString();
        if (!expr.startsWith("#")) {
            super.processAction(event);
            return;
        }

        final int idx = expr.indexOf('.');
        final String target = expr.substring(0, idx).substring(2);
        final String t = expr.substring(idx + 1);
        final String method = t.substring(0, (t.length() - 1));

        final MethodExpression expression = new MethodExpressionMethodBindingAdapter(binding);
        final ELContext elContext = context.getELContext();
        final ExpressionFactory factory = context.getApplication().getExpressionFactory();

        final ValueExpression ve = factory.createValueExpression(elContext, "#{" + target + '}', Object.class);
        final Object result = ve.getValue(elContext);

        // Check if the target method is a secured method
        // and check security accordingly
        final Method[] methods = result.getClass().getMethods();
        for (final Method meth : methods) {
            if (meth.getName().equals(method)) {
                if (meth.isAnnotationPresent(CustomSecurity.class)) {
                    final CustomSecurity securityAnnotation = meth.getAnnotation(CustomSecurity.class);
                    System.out.println("Function to check security on: " + securityAnnotation.value()); // TODO TO LOG
                    SecurityUtil.checkSecurity(securityAnnotation.value());
                } else {
                    super.processAction(event);
                }
                break;
            }
        }
    }

}
在faces-config.xml中: 

也可能是一个答案,但我不知道它将如何与我的JaaS-Tomcat安全性一起工作,因为该安全性在一个单独的项目中,作为独立的JAR部署在Tomcat-lib文件夹中

但我真的不知道我必须保护我的豆子。因为我已经将Web.xml中1页上的所有函数(又名角色,见上文)配置为安全约束。我在页面上呈现组件时,仅当您必须拥有该组件上的权限或“函数\角色”时。这是否足够安全?或者,如果有人有权使用页面上的某个函数,他是否可以自己呈现组件,从而入侵我的网站

我对JSF不太熟悉,不知道这一点,在控制器和视图之间的额外JSF抽象层中发生了什么?(我更像是一名Spring MVC开发人员,但由于需求,我不得不使用JSF,但扩展我的知识很好。)
您可以使用


关于
你使用什么Tomcat版本?Tomcat 7。但是安全性已经实现,并且工作“很好”;)

        public class SecurityActionListener extends ActionListenerImpl implements ActionListener {

    private static final Logger LOGGER = FacesLogger.APPLICATION.getLogger();

    @SuppressWarnings("unused")
    @Override
    public void processAction(final ActionEvent event) {

        final FacesContext context = FacesContext.getCurrentInstance();
        final Application application = context.getApplication();
        final ConfigurableNavigationHandler navHandler = (ConfigurableNavigationHandler) application.getNavigationHandler();

        // Action stuff
        final UIComponent source = event.getComponent();
        final ActionSource actionSource = (ActionSource) source;
        MethodBinding binding;

        binding = actionSource.getAction();
        final String expr = binding.getExpressionString();
        if (!expr.startsWith("#")) {
            super.processAction(event);
            return;
        }

        final int idx = expr.indexOf('.');
        final String target = expr.substring(0, idx).substring(2);
        final String t = expr.substring(idx + 1);
        final String method = t.substring(0, (t.length() - 1));

        final MethodExpression expression = new MethodExpressionMethodBindingAdapter(binding);
        final ELContext elContext = context.getELContext();
        final ExpressionFactory factory = context.getApplication().getExpressionFactory();

        final ValueExpression ve = factory.createValueExpression(elContext, "#{" + target + '}', Object.class);
        final Object result = ve.getValue(elContext);

        // Check if the target method is a secured method
        // and check security accordingly
        final Method[] methods = result.getClass().getMethods();
        for (final Method meth : methods) {
            if (meth.getName().equals(method)) {
                if (meth.isAnnotationPresent(CustomSecurity.class)) {
                    final CustomSecurity securityAnnotation = meth.getAnnotation(CustomSecurity.class);
                    System.out.println("Function to check security on: " + securityAnnotation.value()); // TODO TO LOG
                    SecurityUtil.checkSecurity(securityAnnotation.value());
                } else {
                    super.processAction(event);
                }
                break;
            }
        }
    }

}



http://code.google.com/p/reflections/