web.xml中的多个安全约束不起作用 [英] Multiple security-constraints in web.xml not working

问题描述

我正在升级一个Web应用程序(Servlet 3.0/Tomcat 7)，该应用程序的大多数页面都需要基本身份验证.该应用程序具有一小组监视servlet，其中任何一个都不应该受到保护.在我的web.xml中，当前有以下security-constraint块(用字母代替私人信息):

I am upgrading a web application (Servlet 3.0 / Tomcat 7) that requires basic authentication on most of its pages. This application has a small set of monitoring servlets, none of which should be protected. In my web.xml, I currently have the following security-constraint blocks (private info replaced by letters of the alphabet):

<security-constraint>
    <display-name>Security Constraint</display-name>
    <web-resource-collection>
        <web-resource-name>Protected Area</web-resource-name>
        <url-pattern>/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
        <role-name>CN=A,OU=B,OU=C,OU=D,DC=E,DC=F</role-name>
    </auth-constraint>
</security-constraint>

<security-constraint>
    <web-resource-collection>
        <web-resource-name>Unprotected Pages</web-resource-name>
        <url-pattern>/health/*</url-pattern>
    </web-resource-collection>
</security-constraint>

在健康"路径中，存在三个端点:

Within the "health" path there are three endpoints:

• /health/monitor/status
• /health/monitor/version
• /health/monitor/version/xml

• /health/monitor/status
• /health/monitor/version
• /health/monitor/version/xml

当我访问任何一个version端点时，都不会提示我输入凭据(与预期的一样).但是，当我访问status页面时，浏览器会向我显示一个基本的身份验证框.当我点击取消"时，可以正常加载页面.同样，如果我已经登录，则在登录到期之前，状态屏幕将不会再次提示我.

When I visit either of the version endpoints, I am not prompted for credentials (as expected). However when I visit the status page, the browser presents me with a basic authentication box. When I hit "Cancel", I'm allowed to load the page normally. Likewise if I've already logged in, I will not be prompted again by the status screen until my login expires.

我意识到，可以通过不将安全内容部署到/*来解决此问题，但是移动它会更改硬编码的路径并进行测试(这是一个非常老的应用程序).还有5或6个工作要做.我愿意在必要时进行此操作，但我想找出是否有可能无需更改任何安全的内容路径.我做在监视servlet的路径上拥有完全的自由.

I realize that this could be solved by not having the secure content deployed to /*, but moving it would be a lot of work changing hard-coded paths and testing (it's a very old application)... and I have 5 or 6 more to do. I'm open to doing this if necessary, but I wanted to find out if this is possible without changing any secure content paths. I do have complete freedom over the paths of the monitoring servlets.

这似乎与 Tomcat 7-多个安全约束不起作用而不是全部失败，只是我的一个端点发生了故障，我发现这很奇怪.我花了一些时间搜索，看起来我正在做的事情应该可以工作...但是没有.

This seems related to Tomcat 7 - Multiple security-constraints not working but rather than total failure just one of my endpoints is failing, which I find very strange. I've spent some time searching and it looks like what I'm doing should work... but it doesn't.

我正在使用web-app版本3.0，并部署到Tomcat 7(已尝试使用7.0.42和7.0.47版本).我已经尝试过更改security-constraint块的顺序.

I'm using web-app version 3.0, deploying to Tomcat 7 (have tried versions 7.0.42 and 7.0.47). I have already tried changing the order of the security-constraint blocks.

有什么想法吗?

这是我完整的web.xml供参考(请注意，监视servlet是通过Java注释管理的，因此不存在):

Here is my full web.xml for reference (note the monitoring servlets are managed via Java annotations, so are not present):

<?xml version="1.0" encoding="UTF-8"?>
<web-app version="3.0"
     xmlns="http://java.sun.com/xml/ns/javaee"
     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
     xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
     http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd">

<display-name>TPS</display-name>

<servlet>
    <servlet-name>CFMLServlet</servlet-name>
    <servlet-class>railo.loader.servlet.CFMLServlet</servlet-class>
    <init-param>
      <param-name>configuration</param-name>
      <param-value>/WEB-INF/railo/</param-value>
    </init-param>
    <load-on-startup>1</load-on-startup>
</servlet>

<servlet>
    <servlet-name>AMFServlet</servlet-name>
    <servlet-class>railo.loader.servlet.AMFServlet</servlet-class>
    <load-on-startup>1</load-on-startup>
</servlet>

<servlet>
    <servlet-name>AttachmentServlet</servlet-name>
    <servlet-class>com.package.toolshed.AttachmentServlet</servlet-class>
    <init-param>
        <param-name>configFilePath</param-name>
        <param-value>com/package/toolshed/configuration/tps-config.xml</param-value>
    </init-param>
    <init-param>
        <param-name>configPathParam</param-name>
        <param-value>attachment.servlet.pathPrefix</param-value>
    </init-param>
    <load-on-startup>6</load-on-startup>
</servlet>


<servlet-mapping>
    <servlet-name>CFMLServlet</servlet-name>
    <url-pattern>*.cfm</url-pattern>
</servlet-mapping>
<servlet-mapping>
    <servlet-name>CFMLServlet</servlet-name>
    <url-pattern>*.cfml</url-pattern>
</servlet-mapping>
<servlet-mapping>
    <servlet-name>CFMLServlet</servlet-name>
    <url-pattern>*.cfc</url-pattern>
</servlet-mapping>
<servlet-mapping>
    <servlet-name>AMFServlet</servlet-name>
    <url-pattern>/flashservices/gateway/*</url-pattern>
</servlet-mapping>
<servlet-mapping>
    <servlet-name>AttachmentServlet</servlet-name>
    <url-pattern>/attachments/*</url-pattern>
</servlet-mapping>
<servlet-mapping>
    <servlet-name>default</servlet-name>
    <url-pattern>/</url-pattern>
</servlet-mapping>

<welcome-file-list>
    <welcome-file>index.cfm</welcome-file>
    <welcome-file>index.cfml</welcome-file>
</welcome-file-list>

<security-constraint>
    <display-name>Security Constraint</display-name>
    <web-resource-collection>
        <web-resource-name>Protected Area</web-resource-name>
        <url-pattern>/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
        <role-name>CN=A,OU=B,OU=C,OU=D,DC=E,DC=F</role-name>
    </auth-constraint>
</security-constraint>

<security-constraint>
    <web-resource-collection>
        <web-resource-name>Unprotected Pages</web-resource-name>
        <url-pattern>/health/*</url-pattern>
    </web-resource-collection>
</security-constraint>

<login-config>
    <auth-method>BASIC</auth-method>
    <realm-name>TPS</realm-name>
</login-config>

<security-role>
    <role-name>CN=A,OU=B,OU=C,OU=D,DC=E,DC=F</role-name>
</security-role>
</web-app>

推荐答案

解决了这个问题.

事实证明，状态servlet正在加载CSS文档，并且该加载正在触发auth.令我感到困惑的是，状态和版本加载JSP都不需要，并且在安全性约束中不需要考虑这些JSP(我最初采取的步骤之一是将*.jsp添加到我的安全性约束中). JSP与CSS存在于同一路径.

It turns out that the status servlet was loading a CSS document, and that load was triggering the auth. What confuses me is that both status and version load JSPs, and these JSPs do not need to be considered in the security-constraint (one of the steps I took initially was to add *.jsp to my security constraint). The JSPs exist at the same path as the CSS.

新的正常工作的web.xml

New, working web.xml

<security-constraint>
    <web-resource-collection>
        <web-resource-name>Unprotected Pages</web-resource-name>
        <url-pattern>/health/*</url-pattern>
        <url-pattern>/monitoringCommon.css</url-pattern>
    </web-resource-collection>
</security-constraint>

这篇关于web.xml中的多个安全约束不起作用的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！