Protected URLs leaking unprotected components of the webapge to unauthenticated users

我与影子孤独终老i 提交于 2019-11-30 10:30:10

It are indeed two distinct ways. The <security-constraint> is part of container managed authentication (CMS). The Filter is part of homegrown authentication.

To restrict access to certain resources with CMS, you just have to set its <url-pattern>:

<security-constraint>
    <web-resource-collection>
        <web-resource-name>Application</web-resource-name>
        <url-pattern>/app/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
        <role-name>someRoleName</role-name>
    </auth-constraint>
</security-constraint>

The above example puts the constraint on all URLs matching /app/* and allows access to users with someRoleName only.

To restrict access to certain resources with a Filter, you have to set its <url-pattern> as well:

<filter>
    <filter-name>authenticationFilter</filter-name>
    <filter-class>com.example.AuthenticationFilter</filter-class>
</filter>
<filter-mapping>
    <filter-name>authenticationFilter</filter-name>
    <url-pattern>/app/*</url-pattern>
</filter-mapping>

You only have to define roles elsewhere, perhaps as an <init-param> of the filter.

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!