我想知道以下配置是否安全:
/ManageXXXX.do,/ManageYYYY.do,......所访问的网页应该只能由admin角色访问,每个其他网页都可供所有人使用。
我已经配置了web.xml文件:
<security-constraint>
<web-resource-collection>
<url-pattern>/Manage*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>admin</role-name>
</auth-constraint>
</security-constraint>
现在我想知道这对于试图超越安全性的人来说是多么可靠。这是否可以阻止我的Manage*页面被未经授权的用户阻止?我想知道这种模式匹配的安全性。
答案 0 :(得分:1)
来自Servlet API规范: http://www.jcp.org/aboutJava/communityprocess/mrel/jsr154/
SRV.11.2 Specification of Mappings
In the Web application deployment descriptor, the following syntax is used to define
mappings:
• A string beginning with a ‘/’ character and ending with a ‘/*’ suffix is used for path mapping.
• A string beginning with a ‘*.’ prefix is used as an extension mapping.
• A string containing only the ’/’ character indicates the "default" servlet of
the application. In this case the servlet path is the request URI minus the con-
text path and the path info is null.
• All other strings are used for exact matches only.
根据Servlet API规范,模式/Manage*是“仅完全匹配”,它不是您想要的。
请将角色管理员的所有资源移至/Manage/并配置模式<url-pattern>/Manage/*</url-pattern>