Tomcat Web xml URL模式不接受带有参数的url?
[英]Tomcat Web xml URL-Pattern does not accept urls with parameters?
问题描述
I am trying to secure few pages on tomcat6 for a vended application. 
我正在尝试为自动售货机应用程序在tomcat6上保护几个页面。 I was successful with securing using URL-pattern for the most of the URLs except two (marked with double asterisks in the code below). 我成功地使用URL模式对除两个以外的大多数URL进行了安全保护(在下面的代码中用双星号标记)。 These two URLs are different in that they take parameters that determine the view. 这两个URL的不同之处在于它们采用确定视图的参数。 I would like to restrict those two views and hence have specified the exact URLs to be blocked/secured/authenticated as shown below. 我想限制这两个视图,因此指定了要阻止/保护/认证的确切URL,如下所示。 But tomcat does not secure them. 但是tomcat无法保护它们。
<security-constraint>
<web-resource-collection>
<web-resource-name>TopBraid</web-resource-name>
<description>Restrict few pages that need security.</description>
<url-pattern>/tbl/admin/*</url-pattern>
<url-pattern>/tbl/sparql/*</url-pattern>
**<url-pattern>/tbl/swp?_viewClass=appConfig:ServerConfigEditor</url-pattern>**
**<url-pattern>/tbl/swp?_viewClass=adminConfig:AdminEditPage</url-pattern>**
<url-pattern>/tbl/sp_reset</url-pattern>
<url-pattern>/tbl/sp_redeploy</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>SERVER_ADMINS</role-name>
</auth-constraint>
</security-constraint>
<security-role>
<role-name>SERVER_ADMINS</role-name>
</security-role>
<login-config>
<auth-method>FORM</auth-method>
<realm-name>TopBraid</realm-name>
<form-login-config>
<form-login-page>/logon.html</form-login-page>
<form-error-page>/logonError.html</form-error-page>
</form-login-config>
</login-config>
<security-constraint>
<web-resource-collection>
<web-resource-name>Public</web-resource-name>
<description>Matches any page.</description>
<url-pattern>/*</url-pattern>
</web-resource-collection>
</security-constraint>
I know the JSR spec might call them as invalid pattern. 我知道JSR规范可能会将其称为无效模式。 Wondering if the pattern could be somehow specified such that it is acceptable. 想知道是否可以以某种方式指定模式以使其可接受。 Or are there other ways to restrict access to the two URLs I have listed above? 还是有其他方法来限制对我上面列出的两个URL的访问?
1 个解决方案
解决方案1
1 2013-02-28 22:11:38
Restricting access to specific URL parameters and their values, like you are trying to do above /tbl/swp?_viewClass=tblconfig:ConfigEditor /tbl/swp?_viewClass=admins:AdminsEditorPage is not possible from the web or application server. 像您在/tbl/swp?_viewClass=tblconfig:ConfigEditor /tbl/swp?_viewClass=admins:AdminsEditorPage上方一样,尝试限制对特定URL参数及其值的访问。 This type of filtering/URL restriction will have to be performed by the application itself, through creating a unique session for those views. 这种类型的过滤/ URL限制将必须由应用程序本身通过为这些视图创建唯一的会话来执行。
When the application server parses incoming URLs, their job is done once they reach the first "?" 当应用服务器解析传入的URL时,一旦到达第一个“?”,它们的工作就完成了。 which is the first parameter to be passed to the application. 这是要传递给应用程序的第一个参数。 From here, any type of filtering/access control must be handled by the application. 从这里开始,任何类型的过滤/访问控制都必须由应用程序处理。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.