1. 首页
  2. 问答
  3. session.invalidate的奇怪问题()

session.invalidate的奇怪问题()

2010-09-04 115 views
1

我有登录和登出的奇怪问题。我已经实现了基于容器的安全性。我在我的所有页面上登录/注销链接(通过template.xhtml),它们基于支持bean布尔属性(实际上是方法isLoggedIn())呈现或不呈现。同样在后台bean中,我有方法注销,这是注销链接的动作(它是h:commandLink)。注销方法返回String,通过隐式JSF 2.0导航重定向到登录页面。现在,当我部署应用程序时,我浏览到我的页面,它显示index.xhtml。从那里我去登录页面。我把我的用户名/密码,点击登录,它记录了我在但现在我点击退出将呼叫后台bean注销方法所提到的,即要求做到这一点:session.invalidate的奇怪问题()

public String logout() { 
    HttpSession session = (HttpSession) FacesContext.getCurrentInstance().getExternalContext().getSession(false); 
    //HttpServletRequest request = (HttpServletRequest) FacesContext.getCurrentInstance().getExternalContext().getRequest(); 
    try { 
     session.invalidate(); 
     //request.logout(); 
    } catch (Exception ex) { 
     Logger.getLogger(PostController.class.getName()).log(Level.SEVERE, null, ex); 
    } 
    return "/ssl/login?faces-redirect=true"; 
}

现在点击退出后它重定向我回到登录页面当我再次输入用户名/密码并点击登录。但后来奇怪的事情发生,因为它显示我我的index.xhtml,但我没有登录。我不得不再次登录页面,重新输入凭证再次终于登录。只有当我使用session.invalidate()支持豆logout()方法。当我使用request.logout()一切工作正常。有什么问题?

被编辑: isLoggedIn看起来像这样,但我不认为这是一个问题,因为我创建过滤器,重定向到我(只有当我登录时)index.xhtml当我尝试浏览到登录页面。并没有发生。

public boolean isLoggedIn() { 
    HttpServletRequest request = (HttpServletRequest) FacesContext.getCurrentInstance().getExternalContext().getRequest(); 
    if(request.getUserPrincipal() != null) 
     return true; 
    else 
     return false; 
}

编辑: 这里的情景考虑HTTP头: 我请求login.xhtml:

GET /blog-war/ssl/login.xhtml;jsessionid=edccb9f9a1c5fc77dbd7fc86f55b HTTP/1.1 
Host: localhost:8080 
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; pl; rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8 
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 
Accept-Language: pl,en-us;q=0.7,en;q=0.3 
Accept-Encoding: gzip,deflate 
Accept-Charset: ISO-8859-2,utf-8;q=0.7,*;q=0.7 
Keep-Alive: 115 
Connection: keep-alive 
Referer: http://localhost:8080/blog-war/ 
Cookie: JSESSIONID=edccb9f9a1c5fc77dbd7fc86f55b

响应:

HTTP/1.1 302 Moved Temporarily 
X-Powered-By: Servlet/3.0 
Server: GlassFish Server Open Source Edition 3.0.1 
Location: https://localhost:8181/blog-war/ssl/login.xhtml 
Content-Type: text/html;charset=ISO-8859-1 
Content-Language: en-GB 
Content-Length: 197 
Date: Sat, 04 Sep 2010 22:27:47 GMT

暂时移动,以便浏览器发出另一个请求:

GET /blog-war/ssl/login.xhtml HTTP/1.1 
Host: localhost:8181 
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; pl; rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8 
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 
Accept-Language: pl,en-us;q=0.7,en;q=0.3 
Accept-Encoding: gzip,deflate 
Accept-Charset: ISO-8859-2,utf-8;q=0.7,*;q=0.7 
Keep-Alive: 115 
Connection: keep-alive 
Referer: http://localhost:8080/blog-war/ 
Cookie: JSESSIONID=edccb9f9a1c5fc77dbd7fc86f55b

响应:

HTTP/1.1 200 OK 
X-Powered-By: Servlet/3.0, JSF/2.0 
Server: GlassFish Server Open Source Edition 3.0.1 
Cache-Control: no-cache, no-store, must-revalidate 
Pragma: no-cache 
Expires: Thu, 01 Jan 1970 00:00:00 GMT 
Content-Type: text/html;charset=UTF-8 
Content-Length: 1256 
Date: Sat, 04 Sep 2010 22:27:47 GMT

我填写的用户名/密码,然后点击登录:

POST /blog-war/ssl/j_security_check HTTP/1.1 
Host: localhost:8181 
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; pl; rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8 
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 
Accept-Language: pl,en-us;q=0.7,en;q=0.3 
Accept-Encoding: gzip,deflate 
Accept-Charset: ISO-8859-2,utf-8;q=0.7,*;q=0.7 
Keep-Alive: 115 
Connection: keep-alive 
Referer: https://localhost:8181/blog-war/ssl/login.xhtml 
Cookie: JSESSIONID=edccb9f9a1c5fc77dbd7fc86f55b

响应:

HTTP/1.1 302 Moved Temporarily 
X-Powered-By: Servlet/3.0 
Server: GlassFish Server Open Source Edition 3.0.1 
Location: https://localhost:8181/blog-war/ 
Content-Type: text/html;charset=ISO-8859-1 
Content-Language: en-GB 
Content-Length: 182 
Date: Sat, 04 Sep 2010 22:40:01 GMT

这是重定向的index.xhtml:

GET /blog-war/ HTTP/1.1 
Host: localhost:8181 
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; pl; rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8 
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 
Accept-Language: pl,en-us;q=0.7,en;q=0.3 
Accept-Encoding: gzip,deflate 
Accept-Charset: ISO-8859-2,utf-8;q=0.7,*;q=0.7 
Keep-Alive: 115 
Connection: keep-alive 
Referer: https://localhost:8181/blog-war/ssl/login.xhtml 
Cookie: JSESSIONID=edccb9f9a1c5fc77dbd7fc86f55b

响应:

HTTP/1.1 302 Moved Temporarily 
X-Powered-By: Servlet/3.0 
Server: GlassFish Server Open Source Edition 3.0.1 
Pragma: No-cache 
Cache-Control: no-cache 
Expires: Thu, 01 Jan 1970 01:00:00 CET 
Location: http://localhost:8080/blog-war/ 
Content-Type: text/html;charset=ISO-8859-1 
Content-Language: en-GB 
Content-Length: 181 
Date: Sat, 04 Sep 2010 22:40:01 GMT

再次重定向,因为我有过滤器,切换为https-http和反之亦然(我想仅在HTTPS login.xhtml):

GET /blog-war/ HTTP/1.1 
Host: localhost:8080 
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; pl; rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8 
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 
Accept-Language: pl,en-us;q=0.7,en;q=0.3 
Accept-Encoding: gzip,deflate 
Accept-Charset: ISO-8859-2,utf-8;q=0.7,*;q=0.7 
Keep-Alive: 115 
Connection: keep-alive 
Cookie: JSESSIONID=edccb9f9a1c5fc77dbd7fc86f55b

响应:

HTTP/1.1 200 OK 
X-Powered-By: Servlet/3.0, JSF/2.0 
Server: GlassFish Server Open Source Edition 3.0.1 
Pragma: no-cache 
Cache-Control: no-cache, no-store, must-revalidate 
Expires: Thu, 01 Jan 1970 00:00:00 GMT 
Content-Type: text/html;charset=UTF-8 
Content-Length: 4002 
Date: Sat, 04 Sep 2010 22:40:02 GMT

现在我登录成功了,注销链接呈现意味着支持bean isLoggedIn返回true。现在我单击注销来调用会话。

POST /blog-war/index.xhtml HTTP/1.1 
Host: localhost:8080 
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; pl; rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8 
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 
Accept-Language: pl,en-us;q=0.7,en;q=0.3 
Accept-Encoding: gzip,deflate 
Accept-Charset: ISO-8859-2,utf-8;q=0.7,*;q=0.7 
Keep-Alive: 115 
Connection: keep-alive 
Referer: http://localhost:8080/blog-war/ 
Cookie: JSESSIONID=edccb9f9a1c5fc77dbd7fc86f55b

响应:

HTTP/1.1 302 Moved Temporarily 
X-Powered-By: Servlet/3.0, JSF/2.0 
Server: GlassFish Server Open Source Edition 3.0.1 
Cache-Control: no-cache, no-store, must-revalidate 
Pragma: no-cache 
Expires: Thu, 01 Jan 1970 00:00:00 GMT 
Location: http://localhost:8080/blog-war/ssl/login.xhtml 
Content-Type: text/html;charset=ISO-8859-1 
Content-Language: en-GB 
Content-Length: 196 
Date: Sat, 04 Sep 2010 22:48:34 GMT

重定向到登录页面登出返回字符串 “?/ SSL /登录面临重定向=真正的” 这样才好在支持bean无效()中注销()方法有:

GET /blog-war/ssl/login.xhtml HTTP/1.1 
Host: localhost:8080 
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; pl; rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8 
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 
Accept-Language: pl,en-us;q=0.7,en;q=0.3 
Accept-Encoding: gzip,deflate 
Accept-Charset: ISO-8859-2,utf-8;q=0.7,*;q=0.7 
Keep-Alive: 115 
Connection: keep-alive 
Referer: http://localhost:8080/blog-war/ 
Cookie: JSESSIONID=edccb9f9a1c5fc77dbd7fc86f55b

响应:

HTTP/1.1 302 Moved Temporarily 
X-Powered-By: Servlet/3.0 
Server: GlassFish Server Open Source Edition 3.0.1 
Location: https://localhost:8181/blog-war/ssl/login.xhtml 
Content-Type: text/html;charset=ISO-8859-1 
Content-Language: en-GB 
Content-Length: 197 
Date: Sat, 04 Sep 2010 22:48:34 GMT

另一个重定向,登录页面应该是HTTPS(过滤器工作:)):

GET /blog-war/ssl/login.xhtml HTTP/1.1 
Host: localhost:8181 
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; pl; rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8 
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 
Accept-Language: pl,en-us;q=0.7,en;q=0.3 
Accept-Encoding: gzip,deflate 
Accept-Charset: ISO-8859-2,utf-8;q=0.7,*;q=0.7 
Keep-Alive: 115 
Connection: keep-alive 
Referer: http://localhost:8080/blog-war/ 
Cookie: JSESSIONID=edccb9f9a1c5fc77dbd7fc86f55b

响应:

HTTP/1.1 200 OK 
X-Powered-By: Servlet/3.0, JSF/2.0 
Server: GlassFish Server Open Source Edition 3.0.1 
Cache-Control: no-cache, no-store, must-revalidate 
Pragma: no-cache 
Expires: Thu, 01 Jan 1970 00:00:00 GMT 
Set-Cookie: JSESSIONID=eefdcda45337b9c897de2a0e95e3; Path=/blog-war; Secure 
Content-Type: text/html;charset=UTF-8 
Content-Length: 1256 
Date: Sat, 04 Sep 2010 22:48:35 GMT

因此,这是事件的正常流动。现在异常:) 我已经在登录页面,所以我重新输入用户名/密码,并点击登录:

POST /blog-war/ssl/j_security_check HTTP/1.1 
Host: localhost:8181 
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; pl; rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8 
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 
Accept-Language: pl,en-us;q=0.7,en;q=0.3 
Accept-Encoding: gzip,deflate 
Accept-Charset: ISO-8859-2,utf-8;q=0.7,*;q=0.7 
Keep-Alive: 115 
Connection: keep-alive 
Referer: https://localhost:8181/blog-war/ssl/login.xhtml 
Cookie: JSESSIONID=eefdcda45337b9c897de2a0e95e3

响应:

HTTP/1.1 302 Moved Temporarily 
X-Powered-By: Servlet/3.0 
Server: GlassFish Server Open Source Edition 3.0.1 
Location: https://localhost:8181/blog-war/ 
Content-Type: text/html;charset=ISO-8859-1 
Content-Language: en-GB 
Content-Length: 182 
Date: Sat, 04 Sep 2010 22:55:46 GMT

重定向到指数:

GET /blog-war/ HTTP/1.1 
Host: localhost:8181 
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; pl; rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8 
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 
Accept-Language: pl,en-us;q=0.7,en;q=0.3 
Accept-Encoding: gzip,deflate 
Accept-Charset: ISO-8859-2,utf-8;q=0.7,*;q=0.7 
Keep-Alive: 115 
Connection: keep-alive 
Referer: https://localhost:8181/blog-war/ssl/login.xhtml 
Cookie: JSESSIONID=eefdcda45337b9c897de2a0e95e3

响应:

HTTP/1.1 302 Moved Temporarily 
X-Powered-By: Servlet/3.0 
Server: GlassFish Server Open Source Edition 3.0.1 
Pragma: No-cache 
Cache-Control: no-cache 
Expires: Thu, 01 Jan 1970 01:00:00 CET 
Location: http://localhost:8080/blog-war/ 
Content-Type: text/html;charset=ISO-8859-1 
Content-Language: en-GB 
Content-Length: 181 
Date: Sat, 04 Sep 2010 22:55:47 GMT

再次过滤器重定向到HTTP进行的index.xhtml:

GET /blog-war/ HTTP/1.1 
Host: localhost:8080 
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; pl; rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8 
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 
Accept-Language: pl,en-us;q=0.7,en;q=0.3 
Accept-Encoding: gzip,deflate 
Accept-Charset: ISO-8859-2,utf-8;q=0.7,*;q=0.7 
Keep-Alive: 115 
Connection: keep-alive

响应:

HTTP/1.1 200 OK 
X-Powered-By: Servlet/3.0, JSF/2.0 
Server: GlassFish Server Open Source Edition 3.0.1 
Cache-Control: no-cache, no-store, must-revalidate 
Pragma: no-cache 
Expires: Thu, 01 Jan 1970 00:00:00 GMT 
Set-Cookie: JSESSIONID=ef675cbb9747063c235fdb44137e; Path=/blog-war 
Content-Type: text/html;charset=UTF-8 
Content-Length: 3410 
Date: Sat, 04 Sep 2010 22:55:48 GMT

此时注销链接不呈现,意味着我们没有登录?作为回应,存在set-cookie,这意味着服务器将我注销了吗?在重新登录页面后,它从头开始重新开始。我也可以插入与正常登录和异常登录场景有点不同的服务器日志。还有关于过期的答案,为什么是1970年1月?我很困惑。

来源

2010-09-04 l245c4l

+0

在将来的JSF/JSF 2.0问题中,请标记为这样。 Java EE是一个非常广泛的主题。 JSF只是其中的一小部分。借助标签,您可以吸引更多的观众,因为这里的人们经常通过标签浏览问题。 – BalusC 2010-09-04 18:58:26

回答

1

既然你不应该能够访问restriced页面没有被记录使用容器管理的安全性时,我强烈怀疑isLoggedIn()方法不正确地返回false这使得它看起来像,你没有登录。该方法至少应该是这样的:

public boolean isLoggedIn() { 
    return FacesContext.getCurrentInstance() 
     .getExternalContext().getUserPrincipal() != null; 
}

更新:没错,当在HTTPS情况下被创建一个Cookie(即具有Secure标志),那么该cookie获得LO st从HTTPS切换到HTTP时。但是,如果cookie是在HTTP上下文中创建的(即没有0​​标志),那么Cookie将在HTTP和HTTPS上下文中保持可用状态。这是根据RFC 2965 cookie规范(检查Secure标志的说明)。

除了使用HttpServletRequest#logout()之外,另一种解决方案是在注销后重定向期间立即创建cookie,而不是仅在通过HTTPS请求登录页面时创建cookie。您可以隐式创建仅通过请求HttpSession

来源

2010-09-04 19:02:58 BalusC

+0

我用isLoggedIn实现更新了我的问题。顺便说一句,你好了:) – l245c4l 2010-09-04 19:05:22

+0

好吧,虽然有点过于复杂,你的'isLoggedIn()'看起来不错。你在使用什么servletcontainer?登录后按F5会显示您未登录时会发生什么?请求/响应头文件说什么?至少我以前没有看到过这个问题,如果没有关于配置/环境的更多细节,很难尝试复制相同的问题。 – BalusC 2010-09-04 19:19:32

+0

F5没有帮助。我正在使用glassfish v3。它引发了一些异常:INFO:JACC Policy Provider:失败的权限检查,上下文(blog/blog-war_war) - 权限((javax.security.jacc.WebUserDataPermission /ssl/login.xhtml GET)) FINEST:JACC Policy Provider: PolicyWrapper.getPermissions(d),context(blog/blog-war_war)权限:[email protected](...我认为这是因为我在web.xml中为/ ssl/*指定了安全约束SSL区域(登录页面位于/ssl/login.xhtml),我没有,但是我有 CONFIDENTIAL。 – l245c4l 2010-09-04 19:40:25

0

如果您使用session.invalidate()一个新的cookie,用于isLoggedIn正确的测试()是userPrincipal()!= NULL & & session.isRequestedSessionValid()。否则,注销后的页面将直接显示您已登录。

您不应该自己重定向到登录页面。 CMA应该为你做到这一点。只需重定向到需要登录的页面。

来源

2010-09-05 05:38:03 EJP

相关问题

 相关问题