stackoom
  简体   繁体   中英

Avoid direct access to static content in webapps

 原文  2016-05-27 04:43:09       java/ html/ spring/ servlets/ shiro

Question

I have integrated my Spring MVC application Shiro for security reasons.

All my urls are working fine, but I have a few html pages which can be directly accessed.

How can I protect those pages, meaning if a user is not logged in to an application, and tries to open an html page, they should be redirected to the login page.

I have tested on jetty and tomcat server.

Jetty 

http://ip:port - works fine, redirects to login page

http://ip:port/html/ - opens html pages

Tomcat 

http://localhost:8070/my-app/html/myPage.html - opens html pages

Basically I do not want direct access of my static content without a user being logged in.

My html file is integrated with angular code. Is there any sort of servlet that can create and return html from it. Meaning I will read html from some other specific location, parse and return html in response.

html file location - my-app\\html\\myPage.html

Shiro settings in web.xml 

filter>
        <filter-name>shiroFilter</filter-name>
        <filter-class>org.springframework.web.filter.DelegatingFilterProxy
        </filter-class>
        <init-param>
            <param-name>targetFilterLifecycle</param-name>
            <param-value>true</param-value>
        </init-param>
    </filter>

    <filter-mapping>
        <filter-name>shiroFilter</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>

When i build war, it copies images, html folder outside web-inf also. How can avoid copying images, html folder outside web-inf using maven

2 answers

solution1
 0  2016-05-27 04:47:40

您可以通过将其放在WEB-INF文件夹中来避免直接访问页面。

solution2
 0  2016-05-27 05:21:42

in shiro ini try 

[url]

/*.html = authc

Following you can use but still recommended is to use from shiro.ini as you never know when your application grows and it would be unmanageable to do this from web.xml. It also makes web.xml fat this is for non spring. The configuration you are showing are only for shiro setup not for securing urls. For securing urls either you have to make them programmatically or from web.xml 

<filter>
    <filter-name>ShiroFilter</filter-name>
    <filter-class>org.apache.shiro.web.servlet.IniShiroFilter</filter-class>
    <init-param><param-name>config</param-name><param-value>

    # INI Config Here

    [url]

    /*.html = authc



    </param-value></init-param>
</filter>

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Avoid direct translation of “public static final” with ProGuard Static asset manager for Java webapps Avoid Spring controller to match static content Expiry Headers for static resources in Java Webapps Run direct by eclipse work but upload war file in webapps , then start not working Jetty.xml access static content Where exactly do I need to avoid direct field access in the presence of Hibernate proxies? Cannot access content from static folder with Spring Security configurations How to allow access to static content when having default servlet Direct access data in file
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM