-1

设想:

应该为某些 servlet 启用安全性(仅通过凭据访问),但对其他 servlet 则不启用。全部通过 web.xml。

4

1 回答 1

7

这是如何完成的:

首先是安全角色+登录配置:

<security-role>
  <description>
    Main user for admin GUI
  </description>
  <role-name>admin</role-name>
</security-role>

<login-config>
  <auth-method>BASIC</auth-method>
  <realm-name>my login</realm-name>
</login-config>

应该公开访问的这个 servlet:

<servlet>
  <description>Landing Page for Admin GUI</description>
  <display-name>StartServlet</display-name>
  <servlet-name>StartServlet</servlet-name>
  <servlet-class>StartServlet</servlet-class>
</servlet>

<servlet-mapping>
  <servlet-name>StartServlet</servlet-name>
  <url-pattern>/index.html</url-pattern>
</servlet-mapping>

所有页面的限制(只能通过管理员用户访问):

<security-constraint>
  <web-resource-collection>
    <web-resource-name>Private</web-resource-name>
    <description>Matches all pages</description>
    <url-pattern>/*</url-pattern>
  </web-resource-collection>
  <auth-constraint>
     <role-name>admin</role-name>
  </auth-constraint>
</security-constraint>

公开的只有那些:

<security-constraint>
  <web-resource-collection>
    <web-resource-name>Public</web-resource-name>
    <description>Makes the landing page explicitly public (overrides Private above since more specific!)</description>
    <url-pattern>/index.html</url-pattern>
  </web-resource-collection>
  <!-- No auth-constraint = everybody has access! -->
</security-constraint>
于 2012-12-06T15:07:56.860 回答