5

我在以下结构中只有几页。

--Project
  |---WebContect
      |----Admin/ *
      |----Author/ * 
      |----Readonly/ * 
      |----Index.jsp

我想限制用户访问和下Admin的页面。我不希望任何人访问这些页面。如果有人试图这样做,应该被重定向到.AuthorReadonlyindex.jsp

我想到的最简单的解决方案是使用Filter,但我正在尝试找出是否可以使用web.xml.

4

3 回答 3

16

如果您希望没有人能够直接访问这些页面,只需将它们放在/WEB-INF文件夹中即可。

Project
 `-- WebContect
      |-- WEB-INF
      |    |-- Admin
      |    |-- Author
      |    `-- Readonly
      `-- Index.jsp

This way the pages are not publicly accessible, but only by a servlet which performs a forward. When the enduser attempts to access it directly, all he will get is a HTTP 404 error.

An alternative is configuring a role-less <security-constraint>.

<security-constraint>
    <display-name>Restrict direct access to certain folders</display-name>
    <web-resource-collection>
        <web-resource-name>Restricted folders</web-resource-name>
        <url-pattern>/Admin/*</url-pattern>
        <url-pattern>/Author/*</url-pattern>
        <url-pattern>/Readonly/*</url-pattern>
    </web-resource-collection>
    <auth-constraint />
</security-constraint>

When the enduser attempts to access them, all he will get is a HTTP 403 error.

Either way, it isn't possible to redirect the enduser to index.jsp this way. Only a Filter can do that. You could configure the index.jsp as error page location for 404 or 403

<error-page>
    <error-code>404</error-code>
    <location>/index.jsp</location>
</error-page>

But this would cover all 404's (or 403's), not sure if that is what you want.

于 2012-06-29T13:06:01.067 回答
0

你试过这个吗?(网址映射示例)

<security-constraint>   
                <web-resource-collection>   
                        <web-resource-name>Protected Area</web-resource-name>   
                        <url-pattern>/*</url-pattern>   
                </web-resource-collection>   

                <auth-constraint>   
<--! These are the groups in AD -->   
                        <role-name>Engineering</role-name>   
                        <role-name>Migration Expert</role-name>   
                        <role-name>Developers</role-name>   

                </auth-constraint>   
        </security-constraint>   

  <security-constraint>   
   <web-resource-collection>   
      <url-pattern>/update/*</url-pattern>   
   </web-resource-collection>   
  </security-constraint>   

        <login-config>   
                <auth-method>BASIC</auth-method>   
                <realm-name>Services Portal</realm-name>   
        </login-config>
于 2012-06-29T09:53:17.067 回答
0

if you want to grand access to pages/folders by role permission you have to have a security-constraint in your web-xml file

  <security-constraint>
    <web-resource-collection>
      <web-resource-name>DESC_OF_FOLDER</web-resource-name>
      <url-pattern>/users/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
      <role-name>REGISTERED_USER_ROLE</role-name>
    </auth-constraint>
  </security-constraint>

The role can be acquired by this code if you are using standard Jaas authentication

        if ((request.getUserPrincipal().getName()) != null) {
            String userName = request.getUserPrincipal().getName().trim();
            .....

            if (request.isUserInRole("REGISTERED_USER_ROLE")) {
                .....
            } 
         }

Hope this helps

UPDATE

And for the redirection to the login page you should have also something like this in the web.xml

<form-login-config>
  <form-login-page>/login.jsp</form-login-page>
  <form-error-page>/error.jsp</form-error-page>
</form-login-config>
于 2012-06-29T15:27:20.873 回答