[英]Protected URLs leaking unprotected components of the webapge to unauthenticated users
I believe implementing security for a JSF application through <login-config>
+ <security-constraint>
+ <security-role>
& through use of <filter>
are two different ways !? 我相信通过<login-config>
+ <security-constraint>
+ <security-role>
以及通过使用<filter>
为JSF应用程序实现安全性是两种不同的方式! Are they ? 是吗
I tried implementing security through the first method above(using <login-config>
+ <security-constraint>
+ <security-role>
) but found that my protected webpage that was using both protected & unprotected HTML components was delivered with unprotected resources even to the unauthenticated users. 我尝试通过上述第一种方法(使用<login-config>
+ <security-constraint>
+ <security-role>
)实现<security-role>
但发现同时使用受保护和不受保护的HTML组件的受保护网页甚至都随不受保护的资源一起交付给未经身份验证的用户。
I need to protect the URLs completely so that the protected URLs don't even leak any part of that webpage to the unauthenticated users. 我需要完全保护URL,以便受保护的URL甚至不会将该网页的任何部分泄漏给未经身份验证的用户。 How do I go about that ? 我该怎么办?
And, is security implementation using <filter>
in web.xml
a self managed way to deal with security ? 而且,在web.xml
使用<filter>
安全性实现是否是应对安全性的自我管理方式? I believe then you can then customize security more fine-grained as you are filtering/catching each & every request ? 我相信,然后您可以在过滤/捕获每个请求时更细化自定义安全性?
It are indeed two distinct ways. 实际上,这是两种不同的方式。 The <security-constraint>
is part of container managed authentication (CMS). <security-constraint>
是容器管理的身份验证(CMS)的一部分。 The Filter
is part of homegrown authentication. Filter
是本地身份验证的一部分。
To restrict access to certain resources with CMS, you just have to set its <url-pattern>
: 要使用CMS限制对某些资源的访问,只需设置其<url-pattern>
:
<security-constraint>
<web-resource-collection>
<web-resource-name>Application</web-resource-name>
<url-pattern>/app/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>someRoleName</role-name>
</auth-constraint>
</security-constraint>
The above example puts the constraint on all URLs matching /app/*
and allows access to users with someRoleName
only. 上面的示例对所有与/app/*
匹配的URL施加约束,并仅允许访问具有someRoleName
用户。
To restrict access to certain resources with a Filter
, you have to set its <url-pattern>
as well: 要使用Filter
限制对某些资源的访问,还必须设置其<url-pattern>
:
<filter>
<filter-name>authenticationFilter</filter-name>
<filter-class>com.example.AuthenticationFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>authenticationFilter</filter-name>
<url-pattern>/app/*</url-pattern>
</filter-mapping>
You only have to define roles elsewhere, perhaps as an <init-param>
of the filter. 您只需要在其他地方定义角色,也许作为过滤器的<init-param>
。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.