stackoom
  简体   繁体   中英

Web.xml Security Constraints not working

 原文  2013-07-30 13:23:12       java/ java-ee/ web.xml

Question

Trying to get the security aspect of my web app up and going.

I've created a dynamic web application within eclipse and am trying to use a form based authentication setup. 

<?xml version="1.0" encoding="UTF-8"?>
<web-app id="WebApp_ID" version="3.0"
 xmlns="http://java.sun.com/xml/ns/javaee"
 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd">
 <display-name>Application</display-name>
 <context-param>
  <param-name>javax.ws.rs.Application</param-name>
  <param-value>com.foo.bar.webservices.MyApplication</param-value>
 </context-param>
 <context-param>
  <param-name>resteasy.servlet.mapping.prefix</param-name>
  <param-value>/resteasy</param-value>
 </context-param>
 <listener>
  <listener-class>org.jboss.resteasy.plugins.server.servlet.ResteasyBootstrap</listener-class>
 </listener>
 <servlet>
  <servlet-name>Resteasy</servlet-name>
  <servlet-class>org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher</servlet-class>
 </servlet>
 <servlet>
  <display-name>LoginServlet</display-name>
  <servlet-name>LoginServlet</servlet-name>
  <servlet-class>httpAuth.LoginServlet</servlet-class>
 </servlet>
 <servlet-mapping>
  <servlet-name>Resteasy</servlet-name>
  <url-pattern>/resteasy/*</url-pattern>
 </servlet-mapping>
 <servlet-mapping>
  <servlet-name>LoginServlet</servlet-name>
  <url-pattern>/LoginServlet</url-pattern>
 </servlet-mapping>
 <welcome-file-list>
  <welcome-file>/login.jsp</welcome-file>
 </welcome-file-list>
 <security-constraint>
  <display-name>Authorized Only</display-name>
  <web-resource-collection>
   <web-resource-name>Authorized Only</web-resource-name>
   <url-pattern>/restricted/*</url-pattern>
   <http-method>GET</http-method>
   <http-method>PUT</http-method>
  </web-resource-collection>
  <auth-constraint>
   <description>Allowed users</description>
   <role-name>USER</role-name>
  </auth-constraint>
  <user-data-constraint>
   <transport-guarantee>NONE</transport-guarantee>
  </user-data-constraint>
 </security-constraint>
 <login-config>
  <auth-method>FORM</auth-method>
  <form-login-config>
   <form-login-page>/login.jsp</form-login-page>
   <form-error-page>/logonError.jsp</form-error-page>
  </form-login-config>
 </login-config>
 <security-role>
  <role-name>USER</role-name>
 </security-role>
</web-app>

However, when I deploy and go to http://localhost:8080/Application/restricted/index.jsp it shows, which it shouldn't do.

EDIT 1: Have made change to remove /Application. Doing so does not hold on pages such as /restricted/index.jsp

Folder Breakdown 

Application
   +build
   -WebContent
     +css
     +img
     +js
     login.jsp
     logonError.jsp
    +META-INF
    -restricted
      index.jsp
    +WEB-INF

4 answers

solution1
 1 ACCPTED  2013-07-30 13:39:12

It seems that you are applying the wrong url-pattern . Try changing this 

<url-pattern>/Application/restricted/*</url-pattern>

by this 

<url-pattern>/restricted/*</url-pattern>

solution2
 0  2013-07-30 13:32:47

In our organization, we use security annotations. From my experience, it's been fairly easy and straightforward to setup and implement. We happen to use IBM WebSphere for our application server, but security annotations can be used in any server that supports Java EE 5.

Oracle has a good article on this: http://www.oracle.com/technetwork/articles/javaee/security-annotation-142276.html

Search for "Java security annotations" on the web for more info.

solution3
 0  2013-07-30 13:39:41

For your servlet mapping you are using this pattern: 

<url-pattern>/resteasy/*</url-pattern>

But for the security constraint you are using this pattern: 

<url-pattern>/Application/restricted/*</url-pattern>

These have to match.

I can only assume that this web app is not running from the ROOT context but from the /Application root. The patterns in the web.xml are anchored at the context, so you should drop /Application prefix from the url-pattern .

solution4
 0  2019-06-06 00:21:53

If you're testing access via a browser, then a <security-constraint> can appear to not be working if you've previously logged into Google in that browser. The login can be persistent and may be getting picked up. It's worth checking a URL in a different browser - you may find that the security then works.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Sample web application in java with security constraints in web.xml ** not working in web.xml security-contraints Use web.xml security constraints with Spring Boot Servlet 3.1 - Security Constraints - Without web.xml Alternative ways to configure security constraints with container managed security outside web.xml? Can someone please explain to me what is happening in this web.xml file (security-constraints) Is it possible to enable/disable security constraints in web.xml on the basis of custom property? IBM WAS ignoring security in web.xml Changes in web.xml for security not reflecting Whitelist security constraint in web.xml
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM