security-constraint

问题 I have a problem in caching my application. when this code is added to web.xml of tomcat : <security-constraint> <web-resource-collection> <web-resource-name>HTTPSOnly</web-resource-name> <url-pattern>/*</url-pattern> </web-resource-collection> <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint> I get this response : Cache-Control private Date Tue, 18 Feb 2014 01:18:17 GMT Etag W/"200-1391558564593" Expires Thu, 01 Jan

问题 I have a problem in caching my application. when this code is added to web.xml of tomcat : <security-constraint> <web-resource-collection> <web-resource-name>HTTPSOnly</web-resource-name> <url-pattern>/*</url-pattern> </web-resource-collection> <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint> I get this response : Cache-Control private Date Tue, 18 Feb 2014 01:18:17 GMT Etag W/"200-1391558564593" Expires Thu, 01 Jan

问题 I am upgrading a web application (Servlet 3.0 / Tomcat 7) that requires basic authentication on most of its pages. This application has a small set of monitoring servlets, none of which should be protected. In my web.xml , I currently have the following security-constraint blocks (private info replaced by letters of the alphabet): <security-constraint> <display-name>Security Constraint</display-name> <web-resource-collection> <web-resource-name>Protected Area</web-resource-name> <url-pattern>

问题 I have the following security constraints entered in the web.xml. My objective is that the XML files are in the Public area. This works for the /images/* folder. However the url-pattern *.xml does not seem to work. Any ideas ? <security-constraint> <web-resource-collection> <web-resource-name>Public Area</web-resource-name> <url-pattern>/xyz</url-pattern> <url-pattern>/images/*</url-pattern> <url-pattern>/yyz/*</url-pattern> <url-pattern>*.xml</url-pattern> </web-resource-collection> <

问题 I have a Java web application that uses security-constraints to lock down access to resources. I'm trying to manipulate the HTTP 401 response when authentication is required for Ajax requests, so I've created a filter that observes the HTTP status in responses and modifies it accordingly if required. Problem is, it seems that if authentication is required, the filter doesn't get invoked until after the 401 has been sent to the browser. It seems that the security constraint precedes the filter

问题 Useing Spring for Security, I can get the program running using the following code. <intercept-url pattern="/web/admin**/**" access="ROLE_ADMIN" requires-channel="https"/> <intercept-url pattern="/web/**/" access="ROLE_USER,ROLE_ADMIN" requires-channel="https"/> I am trying to do this within a web.xml currently. Using JBOSS to deploy a .war file. Below is what I have, The url-pattern is what is causing me the problems in the first security-constraint. The pages are located at, and named /web

问题 I'm developing a web app. I'd like to be able to let some friends see it, but not others that stumble upon the url. I was going to put a landing page and then a simple password box. Once the correct password is entered, I'd just record it in the session and expose the site as usual for the rest of the time they keep the browser open. Is there a standard way to do this? I'd be adding extra code to my webapp to support this, I'm not sure if there's a built-in way to do it already (I'm using

问题 I need to disable PUT, DELETE & TRACE HTTP requests on my Application Server, Apache Tomcat 6.0. All other sources, i have searched till now, have directed me towards the limit parameter in httpd.conf , Hence I'd put it before-hand that I am not using Apache Web Server, and requests are directly being handled by Tomcat, and so there is no httpd.conf in picture. Please suggest how should I do it on Tomcat? 回答1: Inside your WEBINF, add you can add a security constraint: <security-constraint>

问题 I've got this weird problem with ajax redirect on a security constraint: When an ajax call is made (by clicking on a sortable p:dataTable column or when a p:poll triggers) on a role-secured page after my session timed out, a <partial-response><redirect-url=... XML from OmniFaces is shown on the screen. When I remove OmniFaces, the ajax calls seem to fail silently and I don't get the XML shown. Security is configured as following in web.xml: <security-constraint> <web-resource-collection> <web

问题 In order to do an SSL Configuration testing under Tomcat, is this all mandatory? This below line is taken from a website: In order to do this for our test, take any application which has already been deployed successfully in Tomcat and first access it through http and https to see if it works fine. If yes, then open the web.xml of that application and just add this XML fragment before web-app ends i.e </web-app> : <security-constraint> <web-resource-collection> <web-resource-name>securedapp<