session.invalidate()的奇怪问题
[英]Strange problem with session.invalidate()
问题描述
我在登录和注销时遇到奇怪的问题。 我已经实现了基于容器的安全性。 我的所有页面上都有Login / Logout链接(通过template.xhtml ),这些链接是否基于后备bean的boolean属性(实际上是isLoggedIn()方法isLoggedIn()呈现或不显示。 同样在支持bean中,我有方法logout,这是Logout链接的操作(它是h:commandLink )。 注销方法返回String ,该String通过隐式JSF 2.0导航重定向到登录页面。 现在,当我部署应用程序时,浏览到我的页面,它显示index.xhtml 。 从那里我进入登录页面。 我将用户名/密码单击“登录”,它使我登录。但是现在我单击“注销”,它调用提到的支持bean注销方法,该方法执行以下操作:
public String logout() {
HttpSession session = (HttpSession) FacesContext.getCurrentInstance().getExternalContext().getSession(false);
//HttpServletRequest request = (HttpServletRequest) FacesContext.getCurrentInstance().getExternalContext().getRequest();
try {
session.invalidate();
//request.logout();
} catch (Exception ex) {
Logger.getLogger(PostController.class.getName()).log(Level.SEVERE, null, ex);
}
return "/ssl/login?faces-redirect=true";
}
现在,单击“注销”后,当我再次输入用户名/密码并单击“登录”时,它会将我重定向到登录页面。 但是随后发生了奇怪的事情,因为它显示了我的index.xhtml但我尚未登录。我必须再次进入登录页面,再次键入凭据才能最终登录。这仅在我使用session.invalidate()以支持bean logout()方法。 当我使用request.logout()一切正常。 有什么问题?
编辑:isLoggedIn看起来像这样,但是我不认为这是一个问题,因为当我尝试浏览到登录页面时,我创建了将我重定向到index.xhtml的过滤器(仅当我登录时)。 而且这不会发生。
public boolean isLoggedIn() {
HttpServletRequest request = (HttpServletRequest) FacesContext.getCurrentInstance().getExternalContext().getRequest();
if(request.getUserPrincipal() != null)
return true;
else
return false;
}
编辑:这是考虑HTTP标头的方案:我请求login.xhtml:
GET /blog-war/ssl/login.xhtml;jsessionid=edccb9f9a1c5fc77dbd7fc86f55b HTTP/1.1
Host: localhost:8080
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; pl; rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-us;q=0.7,en;q=0.3
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-2,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: http://localhost:8080/blog-war/
Cookie: JSESSIONID=edccb9f9a1c5fc77dbd7fc86f55b
响应:
HTTP/1.1 302 Moved Temporarily
X-Powered-By: Servlet/3.0
Server: GlassFish Server Open Source Edition 3.0.1
Location: https://localhost:8181/blog-war/ssl/login.xhtml
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-GB
Content-Length: 197
Date: Sat, 04 Sep 2010 22:27:47 GMT
暂时移动,因此浏览器提出了另一个请求:
GET /blog-war/ssl/login.xhtml HTTP/1.1
Host: localhost:8181
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; pl; rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-us;q=0.7,en;q=0.3
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-2,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: http://localhost:8080/blog-war/
Cookie: JSESSIONID=edccb9f9a1c5fc77dbd7fc86f55b
响应:
HTTP/1.1 200 OK
X-Powered-By: Servlet/3.0, JSF/2.0
Server: GlassFish Server Open Source Edition 3.0.1
Cache-Control: no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Type: text/html;charset=UTF-8
Content-Length: 1256
Date: Sat, 04 Sep 2010 22:27:47 GMT
我填写用户名/密码,然后单击登录:
POST /blog-war/ssl/j_security_check HTTP/1.1
Host: localhost:8181
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; pl; rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-us;q=0.7,en;q=0.3
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-2,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: https://localhost:8181/blog-war/ssl/login.xhtml
Cookie: JSESSIONID=edccb9f9a1c5fc77dbd7fc86f55b
响应:
HTTP/1.1 302 Moved Temporarily
X-Powered-By: Servlet/3.0
Server: GlassFish Server Open Source Edition 3.0.1
Location: https://localhost:8181/blog-war/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-GB
Content-Length: 182
Date: Sat, 04 Sep 2010 22:40:01 GMT
它被重定向到index.xhtml:
GET /blog-war/ HTTP/1.1
Host: localhost:8181
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; pl; rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-us;q=0.7,en;q=0.3
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-2,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: https://localhost:8181/blog-war/ssl/login.xhtml
Cookie: JSESSIONID=edccb9f9a1c5fc77dbd7fc86f55b
响应:
HTTP/1.1 302 Moved Temporarily
X-Powered-By: Servlet/3.0
Server: GlassFish Server Open Source Edition 3.0.1
Pragma: No-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 01:00:00 CET
Location: http://localhost:8080/blog-war/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-GB
Content-Length: 181
Date: Sat, 04 Sep 2010 22:40:01 GMT
再次重定向,因为我有切换到https-http的过滤器,反之亦然(我只希望在https中使用login.xhtml):
GET /blog-war/ HTTP/1.1
Host: localhost:8080
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; pl; rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-us;q=0.7,en;q=0.3
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-2,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Cookie: JSESSIONID=edccb9f9a1c5fc77dbd7fc86f55b
响应:
HTTP/1.1 200 OK
X-Powered-By: Servlet/3.0, JSF/2.0
Server: GlassFish Server Open Source Edition 3.0.1
Pragma: no-cache
Cache-Control: no-cache, no-store, must-revalidate
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Type: text/html;charset=UTF-8
Content-Length: 4002
Date: Sat, 04 Sep 2010 22:40:02 GMT
现在,我已成功登录,呈现了注销链接,这意味着支持bean isLoggedIn返回true。 现在,我单击注销,它在支持bean的logout()方法中调用session.invalidate():
POST /blog-war/index.xhtml HTTP/1.1
Host: localhost:8080
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; pl; rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-us;q=0.7,en;q=0.3
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-2,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: http://localhost:8080/blog-war/
Cookie: JSESSIONID=edccb9f9a1c5fc77dbd7fc86f55b
响应:
HTTP/1.1 302 Moved Temporarily
X-Powered-By: Servlet/3.0, JSF/2.0
Server: GlassFish Server Open Source Edition 3.0.1
Cache-Control: no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Location: http://localhost:8080/blog-war/ssl/login.xhtml
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-GB
Content-Length: 196
Date: Sat, 04 Sep 2010 22:48:34 GMT
重定向到登录页面注销返回字符串“ / ssl / login?faces-redirect = true”,因此我们去了:
GET /blog-war/ssl/login.xhtml HTTP/1.1
Host: localhost:8080
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; pl; rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-us;q=0.7,en;q=0.3
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-2,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: http://localhost:8080/blog-war/
Cookie: JSESSIONID=edccb9f9a1c5fc77dbd7fc86f55b
响应:
HTTP/1.1 302 Moved Temporarily
X-Powered-By: Servlet/3.0
Server: GlassFish Server Open Source Edition 3.0.1
Location: https://localhost:8181/blog-war/ssl/login.xhtml
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-GB
Content-Length: 197
Date: Sat, 04 Sep 2010 22:48:34 GMT
另一个重定向登录页面应位于https(过滤器正在运行:)):
GET /blog-war/ssl/login.xhtml HTTP/1.1
Host: localhost:8181
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; pl; rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-us;q=0.7,en;q=0.3
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-2,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: http://localhost:8080/blog-war/
Cookie: JSESSIONID=edccb9f9a1c5fc77dbd7fc86f55b
响应:
HTTP/1.1 200 OK
X-Powered-By: Servlet/3.0, JSF/2.0
Server: GlassFish Server Open Source Edition 3.0.1
Cache-Control: no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: JSESSIONID=eefdcda45337b9c897de2a0e95e3; Path=/blog-war; Secure
Content-Type: text/html;charset=UTF-8
Content-Length: 1256
Date: Sat, 04 Sep 2010 22:48:35 GMT
因此,这是正常的事件流。 现在异常:)我已经在登录页面上,所以我重新输入用户名/密码并单击登录:
POST /blog-war/ssl/j_security_check HTTP/1.1
Host: localhost:8181
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; pl; rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-us;q=0.7,en;q=0.3
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-2,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: https://localhost:8181/blog-war/ssl/login.xhtml
Cookie: JSESSIONID=eefdcda45337b9c897de2a0e95e3
响应:
HTTP/1.1 302 Moved Temporarily
X-Powered-By: Servlet/3.0
Server: GlassFish Server Open Source Edition 3.0.1
Location: https://localhost:8181/blog-war/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-GB
Content-Length: 182
Date: Sat, 04 Sep 2010 22:55:46 GMT
重定向到索引:
GET /blog-war/ HTTP/1.1
Host: localhost:8181
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; pl; rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-us;q=0.7,en;q=0.3
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-2,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: https://localhost:8181/blog-war/ssl/login.xhtml
Cookie: JSESSIONID=eefdcda45337b9c897de2a0e95e3
响应:
HTTP/1.1 302 Moved Temporarily
X-Powered-By: Servlet/3.0
Server: GlassFish Server Open Source Edition 3.0.1
Pragma: No-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 01:00:00 CET
Location: http://localhost:8080/blog-war/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-GB
Content-Length: 181
Date: Sat, 04 Sep 2010 22:55:47 GMT
再次,筛选器重定向到index.xhtml的http:
GET /blog-war/ HTTP/1.1
Host: localhost:8080
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; pl; rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-us;q=0.7,en;q=0.3
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-2,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
响应:
HTTP/1.1 200 OK
X-Powered-By: Servlet/3.0, JSF/2.0
Server: GlassFish Server Open Source Edition 3.0.1
Cache-Control: no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: JSESSIONID=ef675cbb9747063c235fdb44137e; Path=/blog-war
Content-Type: text/html;charset=UTF-8
Content-Length: 3410
Date: Sat, 04 Sep 2010 22:55:48 GMT
此时未呈现注销链接,这意味着我们还没有登录? 作为响应,有set-cookie,这是否意味着服务器将我注销了? 再次进入登录页面后,它将从顶部重新开始。 我还可以插入服务器日志,这与正常登录和异常登录情况有些不同。 还有关于Expires的回应,为什么是1970年1月? 我真的很困惑
2 个解决方案
解决方案1
1 已采纳 2010-09-04 19:02:58
由于使用容器管理的安全性时,如果不登录就不能访问受限页面,因此我强烈怀疑isLoggedIn()方法错误地返回了false ,这使您看起来好像没有登录。至少看起来像这样:
public boolean isLoggedIn() {
return FacesContext.getCurrentInstance()
.getExternalContext().getUserPrincipal() != null;
}
更新 :正确,当在HTTPS上下文中创建cookie(即具有Secure标志)时,从HTTPS切换到HTTP时,cookie丢失。 但是,如果cookie是在HTTP上下文中创建的(即没有Secure标志),则该cookie在HTTP和HTTPS上下文中都将保持可用。 这是根据RFC 2965 cookie规范(请查看Secure标志的描述)。
除了使用HttpServletRequest#logout() ,另一种解决方案是在注销后的重定向期间立即创建cookie,而不是仅在通过HTTPS请求登录页面时才创建cookie。 您可以仅通过请求HttpSession隐式创建一个新的cookie
解决方案2
0 2010-09-05 05:38:03
如果使用session.invalidate(),则isLoggedIn()的正确测试是userPrincipal()!= null && session.isRequestedSessionValid()。 否则,注销后的页面将直接显示您已登录。
您不应该自己重定向到登录页面。 CMA应该为您做到这一点。 只需重定向到需要登录的页面即可。
session.invalidate后未调用attributeRemoved
[英]attributeRemoved not being called after session.invalidate
为什么在 JAVA 中 session.invalidate() 之后 session 不为空?
[英]Why session is not null after session.invalidate() in JAVA?
session.invalidate()更改登录后的ID,但引发异常
[英]session.invalidate() changing Id post login but exception thrown
除了超时或session.invalidate()之外,重置JSP Web会话的原因是什么?
[英]What are the causes for a JSP web session to be reset other than timeout or session.invalidate()?
请求调用session.invalidate()后,request.getSession(false)不返回null
[英]request.getSession(false) not returning null after calling session.invalidate()
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.
相关问题
session.invalidate()IllegalStateException
Servlet会话行为和Session.invalidate
session.invalidate()抛出空指针异常
session.invalidate后未调用attributeRemoved
为什么在 JAVA 中 session.invalidate() 之后 session 不为空?
为什么session.invalidate在IE浏览器中不起作用?
session.invalidate()更改登录后的ID,但引发异常
除了超时或session.invalidate()之外,重置JSP Web会话的原因是什么?
请求调用session.invalidate()后,request.getSession(false)不返回null
使会话无效
相关标签