javaee url-pattern"/"匹配所有内容,而"/*"仅用于,不用于"/" [英] javaee url-pattern "/" matches everything, while this should be the case for "/*" only, not for "/"
问题描述
<security-constraint>
<web-resource-collection>
<web-resource-name>Common pages</web-resource-name>
<url-pattern>/test1.html</url-pattern>
<http-method>GET</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>MY_GROUP</role-name>
</auth-constraint>
</security-constraint>
如预期的那样,在此约束下,页面/test1.html需要进行身份验证, 并且/test2.html页面不需要身份验证.
as expected, with this constraint, the page /test1.html needs authentication, and the page /test2.html does not need authentication.
<security-constraint>
<web-resource-collection>
<web-resource-name>Common pages</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>MY_GROUP</role-name>
</auth-constraint>
</security-constraint>
如预期的那样,在此约束下,所有页面都需要身份验证, 包括/test2.html.
as expected, with this constraint, all pages need authentication, including /test2.html.
<security-constraint>
<web-resource-collection>
<web-resource-name>Common pages</web-resource-name>
<url-pattern>/</url-pattern>
<url-pattern>/test1.html</url-pattern>
<http-method>GET</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>MY_GROUP</role-name>
</auth-constraint>
</security-constraint>
在这种限制下,我希望页面/test1.html和/需要身份验证, 但页面/test2.html不需要身份验证.
with this constraint, I would expect that the page /test1.html and / need authentication, but the page /test2.html should not need authentication.
但是,事实证明/test2.html也需要身份验证.
However, it turns out that /test2.html also requires authentication.
问题1.这正常吗?为什么会这样?
Question 1. Is that normal? Why is so?
问题2.规范中在哪里写出URL模式"/"等效于"/*"? Java Servlet规范2.5: http://goo.gl/UxoPL </a>
Question 2. Where is it written in the specification that the url-pattern "/" is equivalent to "/*"? Java Servlet Specification 2.5: http://goo.gl/UxoPL
问题3.如何辨别根页面"/"是否需要身份验证,而不需要其他页面?
Question 3. How can I tell that the root page "/" requires authentication, but not the other pages?
ps:我正在使用jboss-eap-4.3.
ps: I am using jboss-eap-4.3.
推荐答案
/是一个特殊的URL模式,它匹配所有不匹配的内容,而所有内容都与不匹配相同的Web应用程序,例如/app/*,*.do等.例如,默认servlet".默认情况下,这是由servlet容器自己的默认servlet处理的,通常用于静态资源,例如普通的HTML/CSS/JS/image文件,而不会调用任何webapp自己的servlet.例如,Tomcat为此具有 DefaultServlet .
The / is a special URL pattern which matches everything which is not matched by any of the more specific servlet URL patterns in the same webapp like /app/*, *.do, etc. It's, say, the "default servlet". This is by default handled by the servletcontainer's own default servlet and is usually used for static resources like plain vanilla HTML/CSS/JS/image files for which no one of the webapp's own servlets would be invoked. Tomcat for example has the DefaultServlet for this purpose.
/*是一个过于通用的URL模式,它与所有内容匹配,包括默认servlet"请求.此URL模式通常仅由过滤器使用,而不由servlet使用.否则,您将不得不重新设计servlet容器自己的默认servlet的工作,以处理静态文件,例如普通的HTML/CSS/JS/图像文件.
The /* is an overly generic URL pattern which matches everything, including the "default servlet" requests. This URL pattern is normally to be used by filters only, not by servlets. Otherwise you'd have to reinvent the job of servletcontainer's own default servlet to deal with static files like plain vanilla HTML/CSS/JS/image files.
关于您的具体功能要求,您需要为/
As to your concrete functional requirement, you need to specify a welcome file for /
<welcome-file-list>
<welcome-file>index.html</welcome-file>
</welcome-file-list>
,然后将安全性约束URL模式放在/index.html上.
and then put the security constraint URL pattern on /index.html instead.
这篇关于javaee url-pattern"/"匹配所有内容,而"/*"仅用于,不用于"/"的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
