发表新帖
发表新帖

Precedence of security-constraint over filters in Servlets

前端 未结
关注
2 1754
情话喂你
情话喂你 2020-12-16 05:26

While studying about security-constraints and filters in servlets, I made the following declarations in the web.xml file, which didn\'t work as I expected:

&
相关标签:
2条回答
  • 闹比i
    2020-12-16 06:00

    Filter execution comes into the "serving" side of the request. Security constraints operate prior to that. They help the server decide whether the url will be served. You can think of filters role as something that executes "just before/after servlet execution".

    0 讨论(0)
  • 栀梦
    2020-12-16 06:14

    The container processes the security constraints first.

    In a nutshell the Servlet container first examines the incoming URL and checks if it matched the so-called excluded or unchecked constraints. Excluded means the URL can not be accessed by anyone, while unchecked means the opposite and allows everyone to access the URL.

    At this stage the container can call your own code if you installed a so-called JACC provider.

    After this the container may try to authenticate the current user, where it can call your own code again. If you registered a SAM (ServerAuthModule) this will always be called at this point, if you didn't register a SAM or when you are working with a non-full Java EE implementation (e.g. a Java EE web profile server like TomEE or a bare Servlet container like Tomcat) it depends on the server if some kind of server specific login module is always called (rare) or only called when access is not granted to the unauthenticated user (typical).

    The SAM is a filter-like thing as it can redirect, forward and wrap the request and response, but it's not an HTTP Servlet Filter.

    After authentication succeeds your JACC Policy will be called again, or when you haven't installed one the container will use a proprietary mechanism to see if you now have access when authenticated.

    If it's indeed determined that you have access, the so-called "resource" will be invoked, which means the container will call the first Filter in the filtering chain, which will eventually call through to the target Servlet to which the requested URL was mapped.

    You can read more about the SAM here: http://arjan-tijms.omnifaces.org/2012/11/implementing-container-authentication.html

    And more about JACC providers here: http://arjan-tijms.omnifaces.org/2014/03/implementing-container-authorization-in.html

    0 讨论(0)
 看不清?
提交回复
热议问题