更新时间:2023-12-04 18:25:05
You can in JSF get/set HTTP session attributes via ExternalContext#getSessionMap()
which is basically a wrapper around HttpSession#get/setAttribute()
.
@Named
@RequestScoped
public class LoginController {
private String username;
private String password;
@EJB
private UserService userService;
public String login() {
User user = userService.find(username, password);
FacesContext context = FacesContext.getCurrentInstance();
if (user == null) {
context.addMessage(null, new FacesMessage("Unknown login, try again"));
username = null;
password = null;
return null;
} else {
context.getExternalContext().getSessionMap().put("user", user);
return "userhome?faces-redirect=true";
}
}
public String logout() {
FacesContext.getCurrentInstance().getExternalContext().invalidateSession();
return "index?faces-redirect=true";
}
// ...
}
在Facelets页面中,只需将username
和password
输入字段绑定到此bean并相应地调用login()
操作.
In the Facelets page, just bind the username
and password
input fields to this bean and invoke login()
action accordingly.
<h:form>
<h:inputText value="#{loginController.username}" />
<h:inputSecret value="#{loginController.password}" />
<h:commandButton value="login" action="#{loginController.login}" />
</h:form>
会话属性可以在EL中直接访问.名称为user
的会话属性在EL中以#{user}
的形式提供.测试用户是否已登录某些rendered
属性时,只需检查其是否为empty
.
Session attributes are directly accessible in EL. A session attribute with name user
is in EL available as #{user}
. When testing if the user is logged in some rendered
attribute, just check if it's empty
or not.
<h:panelGroup rendered="#{not empty user}">
<p>Welcome, #{user.fullName}</p>
<h:form>
<h:commandButton value="logout" action="#{loginController.logout}" />
</h:form>
</h:panelGroup>
注销操作基本上只是在破坏会话.
The logout action basically just trashes the session.
关于检查传入的请求(无论用户是否登录),只需创建 Filter
,它在
As to checking an incoming request if an user is logged in or not, just create a Filter
which does roughly the following in doFilter()
method:
@Override
public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws ServletException, IOException {
HttpServletRequest request = (HttpServletRequest) req;
HttpServletResponse response = (HttpServletResponse) res;
HttpSession session = request.getSession(false);
String loginURI = request.getContextPath() + "/login.xhtml";
boolean loggedIn = session != null && session.getAttribute("user") != null;
boolean loginRequest = request.getRequestURI().equals(loginURI);
boolean resourceRequest = request.getRequestURI().startsWith(request.getContextPath() + ResourceHandler.RESOURCE_IDENTIFIER);
if (loggedIn || loginRequest || resourceRequest) {
chain.doFilter(request, response);
} else {
response.sendRedirect(loginURI);
}
}
将其映射到覆盖受限页面的url-pattern
上,例如/secured/*
,/app/*
等
Map it on an url-pattern
covering the restricted pages, e.g. /secured/*
, /app/*
, etc.