[英]jetty 8 web.xml: Allow low-privilege user to access just one page, admin user required for all others via security-constraints
I want to secure my web app such that only the "admin" user can access all of the pages, but a special "test" user can access the status page. 我想保护我的Web应用程序的安全,以便只有“管理员”用户可以访问所有页面,但是特殊的“测试”用户可以访问状态页面。
Here is what I've tried: 这是我尝试过的:
In web.xml: 在web.xml中:
<security-constraint>
<web-resource-collection>
<web-resource-name>Everything else</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>admin</role-name>
</auth-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>Status page</web-resource-name>
<url-pattern>/status/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>test</role-name>
<role-name>admin</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method> <!-- Use http basic authentication -->
<realm-name>MyApp Realm</realm-name> <!-- users are defined in this realm -->
</login-config>
Unfortunately, when I tried to access the status page ( https://localhost:444/app-0.0.1-SNAPSHOT/hbr/status ) with the test user I get the following: 不幸的是,当我尝试与测试用户一起访问状态页面( https:// localhost:444 / app-0.0.1-SNAPSHOT / hbr / status )时,我得到以下信息:
Problem accessing /app-0.0.1-SNAPSHOT/hbr/status. Reason:
!role
Any idea how I can fix this? 知道我该如何解决吗?
It turns out that the "status" page is not at the root of the app, but part of a subservice called "hbr" ("hbr" the only subservice, which is why I didn't notice). 事实证明,“状态”页面不是应用程序的根目录,而是子服务“ hbr”的一部分(“ hbr”是唯一的子服务,这就是为什么我没有注意到)。 The following change to the second security-constraint causes the app to work as expected:
对第二个安全性约束的以下更改导致应用程序按预期运行:
<security-constraint>
<web-resource-collection>
<web-resource-name>Status page</web-resource-name>
<url-pattern>hbr/status/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>test</role-name>
<role-name>admin</role-name>
</auth-constraint>
</security-constraint>
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.