I believe implementing security for a JSF application through <login-config>
+<security-constraint>
+ <security-role>
& through use of <filter>
are two different ways !? Are they ?
I tried implementing security through the first method above(using <login-config>
+<security-constraint>
+ <security-role>
) but found that my protected webpage that was using both protected & unprotected HTML components was delivered with unprotected resources even to the unauthenticated users.
I need to protect the URLs completely so that the protected URLs don't even leak any part of that webpage to the unauthenticated users. How do I go about that ?
And, is security implementation using <filter>
in web.xml
a self managed way to deal with security ? I believe then you can then customize security more fine-grained as you are filtering/catching each & every request ?
It are indeed two distinct ways. The <security-constraint>
is part of container managed authentication (CMS). The Filter
is part of homegrown authentication.
To restrict access to certain resources with CMS, you just have to set its <url-pattern>
:
<security-constraint>
<web-resource-collection>
<web-resource-name>Application</web-resource-name>
<url-pattern>/app/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>someRoleName</role-name>
</auth-constraint>
</security-constraint>
The above example puts the constraint on all URLs matching /app/*
and allows access to users with someRoleName
only.
To restrict access to certain resources with a Filter
, you have to set its <url-pattern>
as well:
<filter>
<filter-name>authenticationFilter</filter-name>
<filter-class>com.example.AuthenticationFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>authenticationFilter</filter-name>
<url-pattern>/app/*</url-pattern>
</filter-mapping>
You only have to define roles elsewhere, perhaps as an <init-param>
of the filter.
来源:https://stackoverflow.com/questions/7872265/protected-urls-leaking-unprotected-components-of-the-webapge-to-unauthenticated