jsf - 提高 Wildly JSF 项目的安全性
问题描述
我正在尝试将 JSF 中的本地 Web 项目移动到 Wildly 云。使用此 Firebase 过滤器进行身份验证:
@Override
public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain)
throws IOException, ServletException {
HttpServletRequest request = (HttpServletRequest) servletRequest;
HttpServletResponse response = (HttpServletResponse) servletResponse;
userManagerSession = (UserManager) request.getSession().getAttribute("userManager");
// managed bean name is exactly the session attribute name
// boolean loginRequest = request.getRequestURI().endsWith(LOGIN_PAGE);
if (!request.getRequestURI().startsWith("/giocapp/s/")) {
filterChain.doFilter(request, response);
return;
}
Cookie[] cookies = request.getCookies();
String token = null;
if (cookies != null) {
for (Cookie cookie : cookies) {
if (cookie.getName().equalsIgnoreCase(HttpHeaders.AUTHORIZATION)) {
token = cookie.getValue();
tokenCookie = cookie;
break;
}
}
}
if (token == null || token.isEmpty()) {
System.out.println("Missing token oauth2");
response.sendRedirect(request.getContextPath() + LOGIN_PAGE);
} else {
try {
FirebaseToken decodedToken = FirebaseAuth.getInstance().verifyIdToken(token);
account = new FirebaseAccount(decodedToken.getUid(), decodedToken.getName(), decodedToken.getEmail(),
decodedToken.getPicture());
if (userManagerSession == null) {
userManagerSession = userManager;
userManagerSession.login(decodedToken.getUid());
}
System.out.println(userManager.getUserId());
filterChain.doFilter(request, response);
} catch (FirebaseAuthException e) {
System.out.println("Token oauth2 not valid");
refreshToken(cookies, request, response, filterChain);
}
}
}
这是login.xthml:
<p:panel id="panel">
<div class="ui-g-12">
<h:panelGroup styleClass="md-inputfield">
<p:inputText id="user-name" value="#{userManager.userId}"
label="Username" required="true"
requiredMessage="Inserisci il nome utente" />
<label>Username</label>
</h:panelGroup>
<p:message for="user-name" display="icon" />
</div>
<div class="ui-g-12">
<h:panelGroup styleClass="md-inputfield">
<p:password id="password" value="#{userManager.userPassword}"
label="Password" required="true"
requiredMessage="Inserisci la password" />
<label>Password</label>
</h:panelGroup>
<p:message for="password" display="icon" />
</div>
<div class="ui-g-12">
<p:captcha label="Captcha" />
<p:commandButton value="Accedi" icon="ui-icon-person"
action="#{userManager.login()}" update="panel messages" />
<p:button outcome="/s/dashboard" value="Password dimenticata"
icon="ui-icon-help" styleClass="secondary" />
</div>
</p:panel>
</div>
我已经实现了captcha;这是减少可能的安全问题的好方法吗?我正在使用带有强密码的 Firebase 身份验证!想法是把这个项目放到谷歌云平台或者打开80 e 443端口到我的防火墙,为了让广域网访问。此外,我想使用 let's encrypt 以通过 TLS/SSL 使用 http(s) 来改进加密。
解决方案
推荐阅读
- android - Xamarin UITest ScrollDownTo for Android 真的很慢
- javascript - 如何在 CSS 规则中选择具有 Windows 格式路径的属性?
- node.js - 如何使用 Node.js 和 Axios 将文件上传到 AWS 中的预签名 URL?
- mysql - 如何在 Mariadb 的 regexp_replace 中使用正则表达式标志?
- javascript - 如何从firestore数据库返回值?
- c++ - 静态成员声明为 const 但初始化为 constexpr
- arrays - 带有姓名、姓氏等的 Java 数组
- jquery - 视频控件不可见
- java - Android Webview 布局未正确显示
- c++ - OpenCV:将图像文件读取到函数内部传递的 Mat 对象不会全局影响它