<安全性约束> < url-pattern>以及web.xml中的*字符 [英] <security-constraint> <url-pattern> and the * character within web.xml
问题描述
使用Spring for Security,我可以使用以下代码运行该程序.
Useing Spring for Security, I can get the program running using the following code.
<intercept-url pattern="/web/admin**/**" access="ROLE_ADMIN" requires-channel="https"/>
<intercept-url pattern="/web/**/" access="ROLE_USER,ROLE_ADMIN" requires-channel="https"/>
我目前正在尝试在web.xml中执行此操作.使用JBOSS部署.war文件.以下是我所拥有的,url模式是导致我遇到的第一个安全约束中的问题的原因.这些页面位于/web/adminarchive/web/adminsettings/web/adminstuff等,并命名为... Spring上面的代码按照我想要的方式进行了处理,其URL为/web/admin **/**以捕获所有管理页面.我注释掉了/*部分,因为我知道它可以工作,只剩下管理员一个.使用该结构不会引发任何错误,只是根本不提示登录.
I am trying to do this within a web.xml currently. Using JBOSS to deploy a .war file. Below is what I have, The url-pattern is what is causing me the problems in the first security-constraint. The pages are located at, and named /web/adminarchive /web/adminsettings /web/adminstuff etc... The code above within Spring handled it the way I want, with the url being /web/admin**/** to catch all admin pages. I commented out the /* section, since I know it works, leaving just the admin one. Using that structure throws no errors, it just doesn't prompt for login at all.
<security-constraint>
<web-resource-collection>
<web-resource-name>Name</web-resource-name>
<url-pattern>/web/admin**/**</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>ROLE_ADMIN</role-name>
</auth-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>Name</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>ROLE_USER</role-name>
</auth-constraint>
</security-constraint>
推荐答案
更新
您是对的,我发布的代码无法满足您的需求.
You are right the code I posted wont work for the purpose you need.
根据 Java Servlet 3.1规范,第12.2章中,映射定义如下:
According to Java Servlet 3.1 Specification, chapter 12.2, the mappings are defined as the following:
在Web应用程序部署描述符中,以下语法是 用于定义映射:
In the Web application deployment descriptor, the following syntax is used to define mappings:
- 路径映射使用以'/'字符开头并以'/*'后缀结尾的字符串.
- 以'*.'前缀开头的字符串用作扩展名映射.
- 空字符串(")是一种特殊的URL模式,它精确地映射到应用程序的上下文根,即形式为
的请求 http://host:port//.在这种情况下,路径信息是‘/’
servlet路径和上下文路径为空字符串("). - 仅包含"/"字符的字符串表示应用程序的默认" servlet.在这种情况下,servlet路径是
请求URI减去上下文路径,并且路径信息为null. - 所有其他字符串仅用于完全匹配.
- A string beginning with a ‘/’ character and ending with a ‘/*’ suffix is used for path mapping.
- A string beginning with a ‘*.’ prefix is used as an extension mapping.
- The empty string ("") is a special URL pattern that exactly maps to the application's context root, i.e., requests of the form
http: //host:port//. In this case the path info is ’/’
and the servlet path and context path is empty string (""). - A string containing only the ’/’ character indicates the "default" servlet of the application. In this case the servlet path is the
request URI minus the context path and the path info is null. - All other strings are used for exact matches only.
最后一个约束:
所有其他字符串仅用于完全匹配.
据我了解,您将无法使用指向子目录的**通配符,因为它将是特定的匹配项.
For my understanding you wont be able to use the ** wildcard refering to subdirectories, since it will be a specific match.
似乎<url-pattern>/web/admin/*</url-pattern>应该可以工作.
这篇关于<安全性约束> < url-pattern>以及web.xml中的*字符的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
