web.xml 中的白名单安全约束 [英] Whitelist security constraint in web.xml

问题描述

我将 Tomcat 用于我的 Struts2 应用程序.web.xml 具有如下所示的某些条目:

I'm using Tomcat for my Struts2 application. The web.xml has certain entries as shown below:

<security-constraint>
    <web-resource-collection>
        <web-resource-name>restricted methods</web-resource-name>
        <url-pattern>/*</url-pattern>
        <http-method>PUT</http-method>
        <http-method>DELETE</http-method>
        <http-method>TRACE</http-method>
    </web-resource-collection>
    <auth-constraint />
</security-constraint>
<security-constraint>
   <web-resource-collection>
       <web-resource-name>no_access</web-resource-name>
       <url-pattern>/jsp/*</url-pattern>
   </web-resource-collection>
   <auth-constraint/>
</security-constraint>
    <security-constraint>
   <web-resource-collection>
       <web-resource-name>no_access</web-resource-name>
       <url-pattern>/myrrunner/*</url-pattern>
   </web-resource-collection>
   <auth-constraint/>
</security-constraint>

我如何将上面列入黑名单的部分更改为仅使用白名单部分...例如，不是将 PUT、DELTE http 方法列入黑名单，我需要将其他方法列入白名单但我不确定将它们列入白名单的语法什么方法可以将它们列入白名单.

How can I change above blacklisted parts to use only whitelisting part... For example, instead of blacklisting PUT, DELTE http methods, I need to whitelist other methods but I'm not sure the syntax of whitelisting them & what methods to whitelist them.

对于我上面的 web.xml 片段，如果有人可以为我提供上面 xml 的 whitelisitng 计数器部分，我将不胜感激.

For my above web.xml snippet, I'll appreciate if some one can provide me whitelisitng counter part for above xml.

另外，我将如何真正验证解决方案是否有效?

Also, how would I really verify whether the solution works or not?

谢谢

推荐答案

我会尝试以下方法:

<security-constraint>
    <web-resource-collection>
        <url-pattern>/*</url-pattern>
        <http-method>GET</http-method>
        <http-method>POST</http-method>
    </web-resource-collection>
    <!-- no auth-constraint tag here -->
</security-constraint>

<security-constraint>
    <web-resource-collection>
        <web-resource-name>restricted methods</web-resource-name>
        <url-pattern>/*</url-pattern>
    </web-resource-collection>
   <auth-constraint/>
</security-constraint>

第一个security-constraint 没有任何auth-constraint，因此任何人无需登录即可使用GET 和POST 方法.第二个限制每个人的其他 http 方法.(我没试过.)

The first security-constraint does not have any auth-constraint, so the GET and POST methods are available to anyone without login. The second restricts other http methods for everybody. (I haven't tried it.)

这篇关于web.xml 中的白名单安全约束的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！