受保护的URL将未受保护的webapge组件泄露给未经身份验证的用户 [英] Protected URLs leaking unprotected components of the webapge to unauthenticated users
问题描述
我认为通过< login-config>
+ < security-constraint>
+ < security-role>
&通过使用< filter>
是两种不同的方式!是吗?
I believe implementing security for a JSF application through <login-config>
+<security-constraint>
+ <security-role>
& through use of <filter>
are two different ways !? Are they ?
我尝试通过上面的第一种方法实现安全性(使用< login-config>
+ < security-constraint>
+ < security-role>
)但发现我同时使用的受保护网页受保护&安培;未经保护的HTML组件甚至未经身份验证的用户也提供了不受保护的资源。
I tried implementing security through the first method above(using <login-config>
+<security-constraint>
+ <security-role>
) but found that my protected webpage that was using both protected & unprotected HTML components was delivered with unprotected resources even to the unauthenticated users.
我需要完全保护URL,以便受保护的URL甚至不泄漏任何部分未经身份验证的用户的网页。我该怎么做?
I need to protect the URLs completely so that the protected URLs don't even leak any part of that webpage to the unauthenticated users. How do I go about that ?
并且,使用< filter>
在<$ c $中的安全实施c> web.xml 以自我管理的方式处理安全问题?我相信,然后您可以自定义安全性更细粒度,因为您正在过滤/捕捉每个&每个请求?
And, is security implementation using <filter>
in web.xml
a self managed way to deal with security ? I believe then you can then customize security more fine-grained as you are filtering/catching each & every request ?
推荐答案
这确实是两种截然不同的方式。 < security-constraint>
是容器管理身份验证(CMS)的一部分。 过滤器
是自行开发的身份验证的一部分。
It are indeed two distinct ways. The <security-constraint>
is part of container managed authentication (CMS). The Filter
is part of homegrown authentication.
要限制使用CMS访问某些资源,您只需设置其< url-pattern>
:
To restrict access to certain resources with CMS, you just have to set its <url-pattern>
:
<security-constraint>
<web-resource-collection>
<web-resource-name>Application</web-resource-name>
<url-pattern>/app/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>someRoleName</role-name>
</auth-constraint>
</security-constraint>
以上示例对所有匹配 / app / * <的网址设置约束/ code>并允许仅以
someRoleName
访问用户。
The above example puts the constraint on all URLs matching /app/*
and allows access to users with someRoleName
only.
限制访问某些资源一个过滤器
,您还必须设置< url-pattern>
:
To restrict access to certain resources with a Filter
, you have to set its <url-pattern>
as well:
<filter>
<filter-name>authenticationFilter</filter-name>
<filter-class>com.example.AuthenticationFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>authenticationFilter</filter-name>
<url-pattern>/app/*</url-pattern>
</filter-mapping>
您只需要在其他地方定义角色,可能是< init-过滤器的param>
。
You only have to define roles elsewhere, perhaps as an <init-param>
of the filter.
这篇关于受保护的URL将未受保护的webapge组件泄露给未经身份验证的用户的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!