<security-constraint> <url-pattern> and the * character within web.xml

不羁岁月 提交于 2019-12-20 05:10:26

问题


Useing Spring for Security, I can get the program running using the following code.

<intercept-url pattern="/web/admin**/**" access="ROLE_ADMIN" requires-channel="https"/>
<intercept-url pattern="/web/**/" access="ROLE_USER,ROLE_ADMIN" requires-channel="https"/>

I am trying to do this within a web.xml currently. Using JBOSS to deploy a .war file. Below is what I have, The url-pattern is what is causing me the problems in the first security-constraint. The pages are located at, and named /web/adminarchive /web/adminsettings /web/adminstuff etc... The code above within Spring handled it the way I want, with the url being /web/admin**/** to catch all admin pages. I commented out the /* section, since I know it works, leaving just the admin one. Using that structure throws no errors, it just doesn't prompt for login at all.

<security-constraint>
    <web-resource-collection>
        <web-resource-name>Name</web-resource-name>
        <url-pattern>/web/admin**/**</url-pattern>
        <http-method>GET</http-method>
        <http-method>POST</http-method>
    </web-resource-collection>
    <auth-constraint>
        <role-name>ROLE_ADMIN</role-name>
    </auth-constraint>
</security-constraint>
<security-constraint>
    <web-resource-collection>
        <web-resource-name>Name</web-resource-name>
        <url-pattern>/*</url-pattern>
        <http-method>GET</http-method>
        <http-method>POST</http-method>
    </web-resource-collection>
    <auth-constraint>
        <role-name>ROLE_USER</role-name>
    </auth-constraint>
</security-constraint>

回答1:


UPDATE

You are right the code I posted wont work for the purpose you need.

According to Java Servlet 3.1 Specification, chapter 12.2, the mappings are defined as the following:

In the Web application deployment descriptor, the following syntax is used to define mappings:

  • A string beginning with a ‘/’ character and ending with a ‘/*’ suffix is used for path mapping.
  • A string beginning with a ‘*.’ prefix is used as an extension mapping.
  • The empty string ("") is a special URL pattern that exactly maps to the application's context root, i.e., requests of the form
    http: //host:port//. In this case the path info is ’/’
    and the servlet path and context path is empty string (““).
  • A string containing only the ’/’ character indicates the "default" servlet of the application. In this case the servlet path is the
    request URI minus the context path and the path info is null.
  • All other strings are used for exact matches only.

The last constraint:

All other strings are used for exact matches only.

For my understanding you wont be able to use the ** wildcard refering to subdirectories, since it will be a specific match.

It seems like <url-pattern>/web/admin/*</url-pattern> should work.



来源:https://stackoverflow.com/questions/23705846/security-constraint-url-pattern-and-the-character-within-web-xml

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!