问题
Useing Spring for Security, I can get the program running using the following code.
<intercept-url pattern="/web/admin**/**" access="ROLE_ADMIN" requires-channel="https"/>
<intercept-url pattern="/web/**/" access="ROLE_USER,ROLE_ADMIN" requires-channel="https"/>
I am trying to do this within a web.xml currently. Using JBOSS to deploy a .war file. Below is what I have, The url-pattern is what is causing me the problems in the first security-constraint. The pages are located at, and named /web/adminarchive /web/adminsettings /web/adminstuff etc... The code above within Spring handled it the way I want, with the url being /web/admin**/** to catch all admin pages. I commented out the /* section, since I know it works, leaving just the admin one. Using that structure throws no errors, it just doesn't prompt for login at all.
<security-constraint>
<web-resource-collection>
<web-resource-name>Name</web-resource-name>
<url-pattern>/web/admin**/**</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>ROLE_ADMIN</role-name>
</auth-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>Name</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>ROLE_USER</role-name>
</auth-constraint>
</security-constraint>
回答1:
UPDATE
You are right the code I posted wont work for the purpose you need.
According to Java Servlet 3.1 Specification, chapter 12.2, the mappings are defined as the following:
In the Web application deployment descriptor, the following syntax is used to define mappings:
- A string beginning with a ‘/’ character and ending with a ‘/*’ suffix is used for path mapping.
- A string beginning with a ‘*.’ prefix is used as an extension mapping.
- The empty string ("") is a special URL pattern that exactly maps to the application's context root, i.e., requests of the form
http: //host:port//. In this case the path info is ’/’
and the servlet path and context path is empty string (““).- A string containing only the ’/’ character indicates the "default" servlet of the application. In this case the servlet path is the
request URI minus the context path and the path info is null.- All other strings are used for exact matches only.
The last constraint:
All other strings are used for exact matches only.
For my understanding you wont be able to use the ** wildcard refering to subdirectories, since it will be a specific match.
It seems like <url-pattern>/web/admin/*</url-pattern> should work.
来源:https://stackoverflow.com/questions/23705846/security-constraint-url-pattern-and-the-character-within-web-xml