堆栈内存溢出
  简体   繁体   English

jetty 8 web.xml:允许低特权用户仅访问一个页面,而其他用户则需要通过安全性约束来访问管理员用户

[英]jetty 8 web.xml: Allow low-privilege user to access just one page, admin user required for all others via security-constraints

 原文  2015-09-01 22:15:53       security/ java-ee/ jetty/ web.xml

问题描述

I want to secure my web app such that only the "admin" user can access all of the pages, but a special "test" user can access the status page. 我想保护我的Web应用程序的安全,以便只有“管理员”用户可以访问所有页面,但是特殊的“测试”用户可以访问状态页面。

Here is what I've tried: 这是我尝试过的:

In web.xml: 在web.xml中: 

  <security-constraint>
    <web-resource-collection>
      <web-resource-name>Everything else</web-resource-name>
      <url-pattern>/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
      <role-name>admin</role-name>
    </auth-constraint>
  </security-constraint>

  <security-constraint>
    <web-resource-collection>
      <web-resource-name>Status page</web-resource-name>
      <url-pattern>/status/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
      <role-name>test</role-name>
      <role-name>admin</role-name>
    </auth-constraint>
  </security-constraint>

  <login-config>
    <auth-method>BASIC</auth-method>     <!-- Use http basic authentication -->
    <realm-name>MyApp Realm</realm-name>  <!-- users are defined in this realm -->
  </login-config>

Unfortunately, when I tried to access the status page ( https://localhost:444/app-0.0.1-SNAPSHOT/hbr/status ) with the test user I get the following: 不幸的是,当我尝试与测试用户一起访问状态页面( https:// localhost:444 / app-0.0.1-SNAPSHOT / hbr / status )时,我得到以下信息: 

Problem accessing /app-0.0.1-SNAPSHOT/hbr/status. Reason: 
     !role

Any idea how I can fix this? 知道我该如何解决吗?

1 个解决方案

解决方案1
 0  2015-09-01 22:15:53

It turns out that the "status" page is not at the root of the app, but part of a subservice called "hbr" ("hbr" the only subservice, which is why I didn't notice). 事实证明,“状态”页面不是应用程序的根目录,而是子服务“ hbr”的一部分(“ hbr”是唯一的子服务,这就是为什么我没有注意到)。 The following change to the second security-constraint causes the app to work as expected: 对第二个安全性约束的以下更改导致应用程序按预期运行: 

  <security-constraint>
    <web-resource-collection>
      <web-resource-name>Status page</web-resource-name>
      <url-pattern>hbr/status/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
      <role-name>test</role-name>
      <role-name>admin</role-name>
    </auth-constraint>
  </security-constraint>

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 有人可以向我解释一下此web.xml文件中发生了什么(安全性约束) - Can someone please explain to me what is happening in this web.xml file (security-constraints) 在web.xml中使用安全性约束的Java示例Web应用程序 - Sample web application in java with security constraints in web.xml 在Spring Boot中使用web.xml安全性约束 - Use web.xml security constraints with Spring Boot Servlet 3.1 - 安全约束 - 没有web.xml - Servlet 3.1 - Security Constraints - Without web.xml 使用安全性约束时无法注销 - Cannot logout when using security-constraints Tomcat 7-多个安全约束不起作用 - Tomcat 7 - Multiple security-constraints not working 使用web.xml外部的容器管理安全性配置安全性约束的其他方法? - Alternative ways to configure security constraints with container managed security outside web.xml? 每个用户仅允许一个PHPSESSID - Allow just one PHPSESSID per user IBM WAS忽略web.xml中的安全性 - IBM WAS ignoring security in web.xml 如何从文件中排除特定用户但允许所有其他用户阅读? - How to exclude a specific user from a file but allow all others to read?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM