HTTP状态403-对请求资源的访问已被拒绝(CSS被阻止?) [英] HTTP Status 403 - Access to the requested resource has been denied (CSS blocked?)

问题描述

我一直在尝试保护我的项目.我有一个通过LDAP服务器进行身份验证的登录页面，如果不正确，它会弹出错误页面等.我现在刚刚添加了

I have been trying to secure my project. I have a log in page that authenticates with an LDAP server and if not right it pulls up an error page etc. I have now just added

<auth-constraint> <!-- Currently causing a 403, looks like stoping .css files --> 
    <role-name>*</role-name>
</auth-constraint>

访问我的 web.xml ，以确保用户可以在查看任何页面之前通过身份验证，但是它似乎阻止了我的.css文件，我想现在登录页面没有完全显示任何CSS，并且只是白色基本字体，当我按Submit时，我得到:

to my web.xml, to make sure the users are authenticated before they can view any page, however it seems to be blocking my .css file, Ithink as now the log in page does not display any css at all, and is just white basic, and when I press submit I get:

• http://localhost:8080/fileuploadWithPreview/javax.faces.resource/theme.css.xhtml?ln = primefaces-aristo

出现此错误:

HTTP状态403-拒绝访问所请求的资源

类型状态报告

消息，已拒绝访问所请求的资源

message Access to the requested resource has been denied

描述已被禁止访问指定资源(拒绝访问所请求的资源).

description Access to the specified resource (Access to the requested resource has been denied) has been forbidden.

GlassFish Server开源版3.1.2.2

GlassFish Server Open Source Edition 3.1.2.2

这是我的 web.xml :

<?xml version="1.0" encoding="UTF-8"?>
<web-app version="2.5" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:web="http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee         http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd">
    <filter>
        <filter-name>Upload Filter</filter-name>
        <filter-class>richard.fileupload.UploadFilter</filter-class>
        <init-param>
            <param-name>sizeThreshold</param-name>
            <param-value>1024</param-value>
        </init-param>
    </filter>
    <filter-mapping>
        <filter-name>Upload Filter</filter-name>
        <url-pattern>/upload/*</url-pattern>
    </filter-mapping>
    <servlet>
        <servlet-name>Faces Servlet</servlet-name>
        <servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
    </servlet>
    <servlet-mapping>
        <servlet-name>Faces Servlet</servlet-name>
        <url-pattern>*.xhtml</url-pattern>
    </servlet-mapping>
    <welcome-file-list>
        <welcome-file>index.xhtml</welcome-file>
    </welcome-file-list>
    <context-param>
        <param-name>javax.faces.PROJECT_STAGE</param-name>
        <param-value>Development</param-value>
    </context-param>
    <context-param>
        <param-name>facelets.LIBRARIES</param-name>
        <param-value>/WEB-INF/corejsf.taglib.xml</param-value>
    </context-param>
    <context-param>
        <param-name>javax.faces.INTERPRET_EMPTY_STRING_SUBMITTED_VALUES_AS_NULL</param-name>
        <param-value>true</param-value>
    </context-param>

    <login-config>
        <auth-method>FORM</auth-method>
        <realm-name>LDAP</realm-name>
        <form-login-config>
            <form-login-page>/login.xhtml</form-login-page>
            <form-error-page>/login-failed.xhtml</form-error-page>
        </form-login-config>
    </login-config>
    <security-role>
        <role-name>user</role-name>
    </security-role>
    <security-constraint> 
        <web-resource-collection>
            <web-resource-name>Allowed resources</web-resource-name>
            <url-pattern>/javax.faces.resources/*</url-pattern>
        </web-resource-collection>   
        <!-- web resources that are protected -->
        <web-resource-collection>
            <web-resource-name>All Resources</web-resource-name>
            <url-pattern>/*</url-pattern>
            <!-- this is currently causing a 404 -->
            <http-method>GETLIB</http-method>
            <http-method>COPY</http-method>
            <http-method>MOVE</http-method>
            <http-method>DELETE</http-method>
            <http-method>PROPFIND</http-method>
            <http-method>GET</http-method>
            <http-method>HEAD</http-method>
            <http-method>PUT</http-method>
            <http-method>MKCOL</http-method>
            <http-method>PROPPATCH</http-method>
            <http-method>LOCK</http-method>
            <http-method>UNLOCK</http-method>
            <http-method>VERSION-CONTROL</http-method>
            <http-method>CHECKIN</http-method>
            <http-method>CHECKOUT</http-method>
            <http-method>UNCHECKOUT</http-method>
            <http-method>REPORT</http-method>
            <http-method>UPDATE</http-method>
            <http-method>CANCELUPLOAD</http-method>
        </web-resource-collection>
        <auth-constraint> <!-- Currently causing a 403, looks like stoping .css files --> 
            <role-name>*</role-name>
        </auth-constraint>
    </security-constraint>
</web-app>

基本上，什么正在停止我的css文件，我该如何允许它?

Basically, what is stopping my css file and how can I allow it?

推荐答案

您的安全约束也阻止了CSS文件上的请求(基本上，它阻止了与指定URL模式一切) >需要指定的登录页面).您需要添加另一个安全约束，该约束应允许对JSF资源的请求.关键是要忽略auth约束，以使每个人都可以访问这些资源.

Your security constraint is also blocking requests on CSS files (basically, it is blocking everything which matches the specified URL pattern of /* expect of the specified login page). You need to add another security constraint which should allow requests on JSF resources. The key is to omit the auth constraint to make those resources accessible by everyone.

<security-constraint>
    <web-resource-collection>
        <web-resource-name>Allowed resources</web-resource-name>
        <url-pattern>/javax.faces.resource/*</url-pattern>
    </web-resource-collection>
    <!-- No Auth Contraint! -->
</security-constraint>

这篇关于HTTP状态403-对请求资源的访问已被拒绝(CSS被阻止?)的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！