1. 技术文章
  2. Security constraint in web.xml not getting applied to URL patterns having file extension

Security constraint in web.xml not getting applied to URL patterns having file extension

不打扰是莪最后的温柔 提交于 2019-12-20 10:35:15

问题


I have the following security constraints entered in the web.xml. My objective is that the XML files are in the Public area. This works for the /images/* folder. However the url-pattern *.xml does not seem to work. Any ideas ?

    <security-constraint>
        <web-resource-collection>
            <web-resource-name>Public Area</web-resource-name>
            <url-pattern>/xyz</url-pattern>
            <url-pattern>/images/*</url-pattern>
            <url-pattern>/yyz/*</url-pattern>
            <url-pattern>*.xml</url-pattern>
        </web-resource-collection>
    </security-constraint>

    <security-constraint>
        <web-resource-collection>
            <web-resource-name>Super User Area</web-resource-name>
            <url-pattern>/test/list1</url-pattern>
            <url-pattern>/test/list2</url-pattern>
            <url-pattern>/test/list3</url-pattern>
            <url-pattern>/test/admin.html</url-pattern>
        </web-resource-collection>
        <auth-constraint>
            <role-name>SUPER_USER</role-name>
        </auth-constraint>
    </security-constraint>

    <security-constraint>
        <web-resource-collection>
            <web-resource-name>Protected Area</web-resource-name>
            <url-pattern>/*</url-pattern>
        </web-resource-collection>
        <auth-constraint>
            <role-name>ADMIN</role-name>
            <role-name>END_USER</role-name>
        </auth-constraint>
    </security-constraint>


    <security-role>
        <description>Super User</description>
        <role-name>SUPER_USER</role-name>
    </security-role>
    <security-role>
        <description>Admin User</description>
        <role-name>ADMIN</role-name>
    </security-role>
    <security-role>
        <description>End User</description>
        <role-name>END_USER</role-name>
    </security-role>

回答1:


One of your other URL patterns matches more than this url-pattern - *.xml requestURI, that's why it's not working. For example, if you have /test/list/user.xml, then this will be treated as a web resource collection in Super user Area and thus SUPER_USER can only have access. so, ensure that url-pattern is declared more specific to resources to avoid clashes and mis-interpretation. Thanks




回答2:


Actually, the sequence of the placement is issue, first security constraints should be the super_user, then public area security constraints. If your put the security constraint belong of public area it will be over written by followed security constraints.



来源:https://stackoverflow.com/questions/19441487/security-constraint-in-web-xml-not-getting-applied-to-url-patterns-having-file-e

标签
java
servlets
web.xml
security-constraint
易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!