security-constraint | 易学教程

** not working in web.xml security-contraints

阅读更多关于 ** not working in web.xml security-contraints

问题 I want to have unrestricted access for /gadgets/{any directory}/css/*. I tried to mention like this <security-constraint> <web-resource-collection> <web-resource-name>UnProtected Area</web-resource-name> <url-pattern>/gadgets/**/css/*</url-pattern> </web-resource-collection> </security-constraint> <security-constraint> <web-resource-collection> <web-resource-name>Protected Area</web-resource-name> <url-pattern>/gadgets/*</url-pattern> </web-resource-collection> <auth-constraint> <role-name

jBoss CORS support with security constraints

阅读更多关于 jBoss CORS support with security constraints

问题 I'm adding authentication to my API using the web-common security constraints, but it seems to have broken my CORS filter. I've previously had it working with just the filter and no app server level authentication. The basic idea is to require authentication on all requests expect those under the /rest/account endpoint, as these are the ones that handle the initial login and so need to be publicly accessible. Testing in both Chrome and Postman returns a 405 Method not allowed response when

Define a <security-constraint> outside of web.xml (e.g. server-wide)

阅读更多关于 Define a outside of web.xml (e.g. server-wide)

问题 I would like to apply security constraints for all webapps deployed on a Tomcat7 server. To do this I have set up a Realm and Valve. My understanding is that the contents of context.xml get included for all apps deployed to a server - that part seems to work as I can add all manner of configuration and I see the effects as it gets included in the various deployed app contexts. It works wonderfully for enforcing consistency across web apps. What doesn't seem to work is trying to define a

Web.xml: Are url-pattern tags relative to each other?

阅读更多关于 Web.xml: Are url-pattern tags relative to each other?

问题 <servlet-mapping> <servlet-name>myName</servlet-name> <url-pattern>/aName</url-pattern> </servlet-mapping> <security-constraint> <web-resource-collection> ... <url-pattern> /* </url-pattern> </web-resource-collection> ... </security-constraint> This is an excerpt from web.xml (using it to configure a jboss/tomcat webservice). Just wondering if the url-pattern in web-resource-collection is relative to the url-pattern in servlet-mapping . 回答1: The url-pattern used to select the constraints for

Web.xml: Are url-pattern tags relative to each other?

阅读更多关于 Web.xml: Are url-pattern tags relative to each other?

<servlet-mapping> <servlet-name>myName</servlet-name> <url-pattern>/aName</url-pattern> </servlet-mapping> <security-constraint> <web-resource-collection> ... <url-pattern> /* </url-pattern> </web-resource-collection> ... </security-constraint> This is an excerpt from web.xml (using it to configure a jboss/tomcat webservice). Just wondering if the url-pattern in web-resource-collection is relative to the url-pattern in servlet-mapping . The url-pattern used to select the constraints for a given request are not relative to anything. The interesting parts of the Servlet spec here are: SRV.12.8.3

Tomcat security constraint for valid user

阅读更多关于 Tomcat security constraint for valid user

问题 I'm trying to protect a resource in tomcat so that only "valid users" (those with a valid login and password in the realm) can access it. They do not necessarily belong to a group in the realm. I have tried with many combinations of the <security-constraint> directive without success. Any ideas? 回答1: Besides the auth-constraint you are adding to the security-constraint: <auth-constraint> <role-name>*</role-name> </auth-constraint> you need specify the security role in the web-app: <security

Filtering requests involving security-constraints

阅读更多关于 Filtering requests involving security-constraints

I have a Java web application that uses security-constraints to lock down access to resources. I'm trying to manipulate the HTTP 401 response when authentication is required for Ajax requests, so I've created a filter that observes the HTTP status in responses and modifies it accordingly if required. Problem is, it seems that if authentication is required, the filter doesn't get invoked until after the 401 has been sent to the browser. It seems that the security constraint precedes the filter in the request processing chain. My filter's url-pattern is more general than any of the security

<security-constraint> <url-pattern> and the * character within web.xml

阅读更多关于 and the * character within web.xml

Useing Spring for Security, I can get the program running using the following code. <intercept-url pattern="/web/admin**/**" access="ROLE_ADMIN" requires-channel="https"/> <intercept-url pattern="/web/**/" access="ROLE_USER,ROLE_ADMIN" requires-channel="https"/> I am trying to do this within a web.xml currently. Using JBOSS to deploy a .war file. Below is what I have, The url-pattern is what is causing me the problems in the first security-constraint. The pages are located at, and named /web/adminarchive /web/adminsettings /web/adminstuff etc... The code above within Spring handled it the way

tomcat security-constraint impact cache

阅读更多关于 tomcat security-constraint impact cache

I have a problem in caching my application. when this code is added to web.xml of tomcat : <security-constraint> <web-resource-collection> <web-resource-name>HTTPSOnly</web-resource-name> <url-pattern>/*</url-pattern> </web-resource-collection> <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint> I get this response : Cache-Control private Date Tue, 18 Feb 2014 01:18:17 GMT Etag W/"200-1391558564593" Expires Thu, 01 Jan 1970 00:00:00 WET Server Apache-Coyote/1.1 Without this code everything is fine : Accept-Ranges bytes

Precedence of security-constraint over filters in Servlets

阅读更多关于 Precedence of security-constraint over filters in Servlets

While studying about security-constraints and filters in servlets, I made the following declarations in the web.xml file, which didn't work as I expected: <security-constraint> <web-resource-collection> <web-resource-name>BeerSelector</web-resource-name> <url-pattern>/SelectBeer.do</url-pattern> <http-method>GET</http-method> <http-method>POST</http-method> </web-resource-collection> <auth-constraint> <role-name>Admin</role-name> </auth-constraint> </security-constraint> <filter> <filter-name>LoginFilter</filter-name> <filter-class>model.MyFilter</filter-class> </filter> <filter-mapping>