问题
Trying to get the security aspect of my web app up and going.
I've created a dynamic web application within eclipse and am trying to use a form based authentication setup.
<?xml version="1.0" encoding="UTF-8"?>
<web-app id="WebApp_ID" version="3.0"
xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd">
<display-name>Application</display-name>
<context-param>
<param-name>javax.ws.rs.Application</param-name>
<param-value>com.foo.bar.webservices.MyApplication</param-value>
</context-param>
<context-param>
<param-name>resteasy.servlet.mapping.prefix</param-name>
<param-value>/resteasy</param-value>
</context-param>
<listener>
<listener-class>org.jboss.resteasy.plugins.server.servlet.ResteasyBootstrap</listener-class>
</listener>
<servlet>
<servlet-name>Resteasy</servlet-name>
<servlet-class>org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher</servlet-class>
</servlet>
<servlet>
<display-name>LoginServlet</display-name>
<servlet-name>LoginServlet</servlet-name>
<servlet-class>httpAuth.LoginServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>Resteasy</servlet-name>
<url-pattern>/resteasy/*</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>LoginServlet</servlet-name>
<url-pattern>/LoginServlet</url-pattern>
</servlet-mapping>
<welcome-file-list>
<welcome-file>/login.jsp</welcome-file>
</welcome-file-list>
<security-constraint>
<display-name>Authorized Only</display-name>
<web-resource-collection>
<web-resource-name>Authorized Only</web-resource-name>
<url-pattern>/restricted/*</url-pattern>
<http-method>GET</http-method>
<http-method>PUT</http-method>
</web-resource-collection>
<auth-constraint>
<description>Allowed users</description>
<role-name>USER</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/login.jsp</form-login-page>
<form-error-page>/logonError.jsp</form-error-page>
</form-login-config>
</login-config>
<security-role>
<role-name>USER</role-name>
</security-role>
</web-app>
However, when I deploy and go to http://localhost:8080/Application/restricted/index.jsp it shows, which it shouldn't do.
EDIT 1: Have made change to remove /Application. Doing so does not hold on pages such as /restricted/index.jsp
Folder Breakdown
Application
+build
-WebContent
+css
+img
+js
login.jsp
logonError.jsp
+META-INF
-restricted
index.jsp
+WEB-INF
回答1:
It seems that you are applying the wrong url-pattern. Try changing this
<url-pattern>/Application/restricted/*</url-pattern>
by this
<url-pattern>/restricted/*</url-pattern>
回答2:
In our organization, we use security annotations. From my experience, it's been fairly easy and straightforward to setup and implement. We happen to use IBM WebSphere for our application server, but security annotations can be used in any server that supports Java EE 5.
Oracle has a good article on this: http://www.oracle.com/technetwork/articles/javaee/security-annotation-142276.html
Search for "Java security annotations" on the web for more info.
回答3:
For your servlet mapping you are using this pattern:
<url-pattern>/resteasy/*</url-pattern>
But for the security constraint you are using this pattern:
<url-pattern>/Application/restricted/*</url-pattern>
These have to match.
I can only assume that this web app is not running from the ROOT context but from the /Application root. The patterns in the web.xml are anchored at the context, so you should drop /Application prefix from the url-pattern.
回答4:
If you're testing access via a browser, then a <security-constraint> can appear to not be working if you've previously logged into Google in that browser. The login can be persistent and may be getting picked up. It's worth checking a URL in a different browser - you may find that the security then works.
来源:https://stackoverflow.com/questions/17948276/web-xml-security-constraints-not-working