web.xml中的安全性约束未应用于具有文件扩展名的URL模式 [英] Security constraint in web.xml not getting applied to URL patterns having file extension

问题描述

我在web.xml中输入了以下安全约束.我的目标是XML文件位于公共"区域中.这适用于/images/*文件夹.但是url-pattern *.xml似乎不起作用.有什么想法吗?

I have the following security constraints entered in the web.xml. My objective is that the XML files are in the Public area. This works for the /images/* folder. However the url-pattern *.xml does not seem to work. Any ideas ?

    <security-constraint>
        <web-resource-collection>
            <web-resource-name>Public Area</web-resource-name>
            <url-pattern>/xyz</url-pattern>
            <url-pattern>/images/*</url-pattern>
            <url-pattern>/yyz/*</url-pattern>
            <url-pattern>*.xml</url-pattern>
        </web-resource-collection>
    </security-constraint>

    <security-constraint>
        <web-resource-collection>
            <web-resource-name>Super User Area</web-resource-name>
            <url-pattern>/test/list1</url-pattern>
            <url-pattern>/test/list2</url-pattern>
            <url-pattern>/test/list3</url-pattern>
            <url-pattern>/test/admin.html</url-pattern>
        </web-resource-collection>
        <auth-constraint>
            <role-name>SUPER_USER</role-name>
        </auth-constraint>
    </security-constraint>

    <security-constraint>
        <web-resource-collection>
            <web-resource-name>Protected Area</web-resource-name>
            <url-pattern>/*</url-pattern>
        </web-resource-collection>
        <auth-constraint>
            <role-name>ADMIN</role-name>
            <role-name>END_USER</role-name>
        </auth-constraint>
    </security-constraint>


    <security-role>
        <description>Super User</description>
        <role-name>SUPER_USER</role-name>
    </security-role>
    <security-role>
        <description>Admin User</description>
        <role-name>ADMIN</role-name>
    </security-role>
    <security-role>
        <description>End User</description>
        <role-name>END_USER</role-name>
    </security-role>

推荐答案

您的其他URL模式比该url-pattern-* .xml requestURI匹配的项更多，这就是为什么它不起作用的原因.例如，如果您拥有/test/list/user.xml，那么这将被视为超级用户区域中的网络资源集合，因此 SUPER_USER 仅具有访问权限.因此，请确保将url-pattern声明为更特定于资源，以避免冲突和误解.谢谢

One of your other URL patterns matches more than this url-pattern - *.xml requestURI, that's why it's not working. For example, if you have /test/list/user.xml, then this will be treated as a web resource collection in Super user Area and thus SUPER_USER can only have access. so, ensure that url-pattern is declared more specific to resources to avoid clashes and mis-interpretation. Thanks

这篇关于web.xml中的安全性约束未应用于具有文件扩展名的URL模式的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！