受保护的URL将未受保护的webapge组件泄露给未经身份验证的用户 [英] Protected URLs leaking unprotected components of the webapge to unauthenticated users

问题描述

我认为通过< login-config> + < security-constraint> + < security-role> &通过使用< filter> 是两种不同的方式！是吗？

I believe implementing security for a JSF application through <login-config>+<security-constraint>+ <security-role> & through use of <filter> are two different ways !? Are they ?

我尝试通过上面的第一种方法实现安全性（使用< login-config> + < security-constraint> + < security-role> ）但发现我同时使用的受保护网页受保护&安培;未经保护的HTML组件甚至未经身份验证的用户也提供了不受保护的资源。

I tried implementing security through the first method above(using <login-config>+<security-constraint>+ <security-role>) but found that my protected webpage that was using both protected & unprotected HTML components was delivered with unprotected resources even to the unauthenticated users.

我需要完全保护URL，以便受保护的URL甚至不泄漏任何部分未经身份验证的用户的网页。我该怎么做？

I need to protect the URLs completely so that the protected URLs don't even leak any part of that webpage to the unauthenticated users. How do I go about that ?

并且，使用< filter> 在<$ c $中的安全实施c> web.xml 以自我管理的方式处理安全问题？我相信，然后您可以自定义安全性更细粒度，因为您正在过滤/捕捉每个&每个请求？

And, is security implementation using <filter> in web.xml a self managed way to deal with security ? I believe then you can then customize security more fine-grained as you are filtering/catching each & every request ?

推荐答案

这确实是两种截然不同的方式。 < security-constraint> 是容器管理身份验证（CMS）的一部分。 过滤器是自行开发的身份验证的一部分。

It are indeed two distinct ways. The <security-constraint> is part of container managed authentication (CMS). The Filter is part of homegrown authentication.

要限制使用CMS访问某些资源，您只需设置其< url-pattern> ：

To restrict access to certain resources with CMS, you just have to set its <url-pattern>:

<security-constraint>
    <web-resource-collection>
        <web-resource-name>Application</web-resource-name>
        <url-pattern>/app/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
        <role-name>someRoleName</role-name>
    </auth-constraint>
</security-constraint>

以上示例对所有匹配 / app / * <的网址设置约束/ code>并允许仅以 someRoleName 访问用户。

The above example puts the constraint on all URLs matching /app/* and allows access to users with someRoleName only.

限制访问某些资源一个过滤器，您还必须设置< url-pattern> ：

To restrict access to certain resources with a Filter, you have to set its <url-pattern> as well:

<filter>
    <filter-name>authenticationFilter</filter-name>
    <filter-class>com.example.AuthenticationFilter</filter-class>
</filter>
<filter-mapping>
    <filter-name>authenticationFilter</filter-name>
    <url-pattern>/app/*</url-pattern>
</filter-mapping>

您只需要在其他地方定义角色，可能是< init-过滤器的param> 。

You only have to define roles elsewhere, perhaps as an <init-param> of the filter.

这篇关于受保护的URL将未受保护的webapge组件泄露给未经身份验证的用户的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！