设想:
应该为某些 servlet 启用安全性(仅通过凭据访问),但对其他 servlet 则不启用。全部通过 web.xml。
这是如何完成的:
首先是安全角色+登录配置:
<security-role>
<description>
Main user for admin GUI
</description>
<role-name>admin</role-name>
</security-role>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>my login</realm-name>
</login-config>
应该公开访问的这个 servlet:
<servlet>
<description>Landing Page for Admin GUI</description>
<display-name>StartServlet</display-name>
<servlet-name>StartServlet</servlet-name>
<servlet-class>StartServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>StartServlet</servlet-name>
<url-pattern>/index.html</url-pattern>
</servlet-mapping>
所有页面的限制(只能通过管理员用户访问):
<security-constraint>
<web-resource-collection>
<web-resource-name>Private</web-resource-name>
<description>Matches all pages</description>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>admin</role-name>
</auth-constraint>
</security-constraint>
公开的只有那些:
<security-constraint>
<web-resource-collection>
<web-resource-name>Public</web-resource-name>
<description>Makes the landing page explicitly public (overrides Private above since more specific!)</description>
<url-pattern>/index.html</url-pattern>
</web-resource-collection>
<!-- No auth-constraint = everybody has access! -->
</security-constraint>