Java web.xml 中的安全约束未应用于具有文件扩展名的 URL 模式
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/19441487/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Security constraint in web.xml not getting applied to URL patterns having file extension
提问by mithrandir
I have the following security constraints entered in the web.xml. My objective is that the XML files are in the Public area. This works for the /images/*folder. However the url-pattern *.xmldoes not seem to work. Any ideas ?
我在 web.xml 中输入了以下安全约束。我的目标是 XML 文件位于公共区域。这适用于/images/*文件夹。但是 url-pattern*.xml似乎不起作用。有任何想法吗 ?
<security-constraint>
<web-resource-collection>
<web-resource-name>Public Area</web-resource-name>
<url-pattern>/xyz</url-pattern>
<url-pattern>/images/*</url-pattern>
<url-pattern>/yyz/*</url-pattern>
<url-pattern>*.xml</url-pattern>
</web-resource-collection>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>Super User Area</web-resource-name>
<url-pattern>/test/list1</url-pattern>
<url-pattern>/test/list2</url-pattern>
<url-pattern>/test/list3</url-pattern>
<url-pattern>/test/admin.html</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>SUPER_USER</role-name>
</auth-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>Protected Area</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>ADMIN</role-name>
<role-name>END_USER</role-name>
</auth-constraint>
</security-constraint>
<security-role>
<description>Super User</description>
<role-name>SUPER_USER</role-name>
</security-role>
<security-role>
<description>Admin User</description>
<role-name>ADMIN</role-name>
</security-role>
<security-role>
<description>End User</description>
<role-name>END_USER</role-name>
</security-role>
采纳答案by Keerthivasan
One of your other URL patterns matches more than this url-pattern- *.xml requestURI, that's why it's not working. For example, if you have /test/list/user.xml, then this will be treated as a web resource collection in Super user Areaand thus SUPER_USERcan only have access. so, ensure that url-pattern is declared more specific to resources to avoid clashes and mis-interpretation. Thanks
您的其他 URL 模式之一匹配的不止于此url-pattern- *.xml requestURI,这就是它不起作用的原因。例如,如果您有/test/list/user.xml,那么这将被视为超级用户区中的网络资源集合,因此SUPER_USER只能访问。因此,请确保将 url-pattern 声明为更特定于资源,以避免冲突和误解。谢谢
回答by Prakash V
Actually, the sequence of the placement is issue, first security constraints should be the super_user, then public area security constraints. If your put the security constraint belong of public area it will be over written by followed security constraints.
其实,放置的顺序是有问题的,首先安全约束应该是super_user,然后是公共区域安全约束。如果您将安全约束置于公共区域,它将被遵循的安全约束覆盖。
