java url 模式和通配符
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/2768500/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
url-pattern and wildcards
提问by mmutilva
While configuring the security constraints for a web-module's roles in J2EE application I'm having the following problem:
在 J2EE 应用程序中为 web 模块的角色配置安全约束时,我遇到了以下问题:
Application:
应用:
Giving a servlet named customersServlet, which receives two parameters in the URL:
提供一个名为customersServlet的 servlet ,它接收 URL 中的两个参数:
- A string representing an operation (INS, UPD, DLT and DSP).
- An identification number to identify a customer on which the operation will be performed.
- 表示操作(INS、UPD、DLT 和 DSP)的字符串。
- 用于标识将对其执行操作的客户的标识号。
E.G.: the url /servlet/cusotmersServlet?UPD,5is used to update customer number 5 data, and the url /servlet/customersServlet?DLT,8is used to delete customer number 8.
EG:url/servlet/cusotmersServlet?UPD,5用于更新5号客户数据,url/servlet/customersServlet?DLT,8用于删除8号客户。
Problem:
问题:
If I use this security-constraint the servlet can only be accessed by the role specified, which is ok:
如果我使用这个安全约束,servlet 只能被指定的角色访问,这是可以的:
<security-constraint>
<web-resource-collection>
<web-resource-name>...</web-resource-name>
<url-pattern>/servlet/clientsServlet*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>clientAdmin</role-name>
</auth-constraint>
</security-constraint>
But I want to restrict the ability to insert customers only to a role named clientAdmin.
但我想将插入客户的能力限制在名为clientAdmin的角色中。
I've tried several url patterns but none of them works as I want (all of them allow every role to access the servlet with any parameter):
我已经尝试了几种 url 模式,但没有一个像我想要的那样工作(所有这些都允许每个角色使用任何参数访问 servlet):
<url-pattern>/servlet/clientsServlet?INS,*</url-pattern>
<url-pattern>/servlet/clientsServlet?INS/*</url-pattern>
...
How to use the wildcard *in the url-patterntag?
如何*在url-pattern标签中使用通配符?
Note: The applicationcannot be changed, so I need a solution that only implies touching the deployment descriptor.
注意:应用程序无法更改,因此我需要一个仅暗示接触部署描述符的解决方案。
回答by Roland Illig
The <url-pattern>tag only allows a very restricted subset of wildcards. This is probably not what you are used to from other situations, where a *can be used at any position. You can download the Servlet specification here:
该<url-pattern>标签只允许使用非常有限的通配符子集。这可能不是您在其他情况下习惯的,其中 a*可以在任何位置使用。您可以在此处下载 Servlet 规范:
http://jcp.org/aboutJava/communityprocess/mrel/jsr154/index2.html
http://jcp.org/aboutJava/communityprocess/mrel/jsr154/index2.html
Section SRV.11.2 of that document describes how these URL patterns are interpreted. In particular, the *does notmean "zero or more arbitrary characters" here.
该文档的 SRV.11.2 部分描述了如何解释这些 URL 模式。特别是,*它并不意味着“零个或多个任意字符”在这里。
回答by McDowell
Note: The application cannot be changed, so I need a solution that only implies touching the deployment descriptor.
注意:应用程序无法更改,因此我需要一个仅暗示接触部署描述符的解决方案。
Not sure if this counts as an application change - perhaps you could think of it as a plug-in. You could add a Filter. This would require the ability to add a new JAR to WEB-INF/libsand the ability to define the filter in web.xml. The Filterwould allow you to restrict access programmatically.
不确定这是否算作应用程序更改 - 也许您可以将其视为插件。你可以添加一个Filter. 这将需要能够向WEB-INF/libs添加新 JAR以及在web.xml 中定义过滤器的能力。这Filter将允许您以编程方式限制访问。
