我想知道以下配置是否安全:
在位置/ManageXXXX.do, /ManageYYYY.do, ... 可访问的网页应该只能通过admin角色访问,其他所有页面都可供任何人使用。
我已将 web.xml 文件配置为:
<security-constraint>
<web-resource-collection>
<url-pattern>/Manage*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>admin</role-name>
</auth-constraint>
</security-constraint>
现在我想知道这对于试图通过安全的人来说有多可靠。这可以保证阻止Manage*未经授权的用户访问我的页面吗?我只想知道这种模式匹配有多安全。
来自 Servlet API 规范: http ://www.jcp.org/aboutJava/communityprocess/mrel/jsr154/
SRV.11.2 Specification of Mappings
In the Web application deployment descriptor, the following syntax is used to define
mappings:
• A string beginning with a ‘/’ character and ending with a ‘/*’ suffix is used for path mapping.
• A string beginning with a ‘*.’ prefix is used as an extension mapping.
• A string containing only the ’/’ character indicates the "default" servlet of
the application. In this case the servlet path is the request URI minus the con-
text path and the path info is null.
• All other strings are used for exact matches only.
根据 Servlet API 规范,该模式/Manage*是“仅精确匹配”,这不是您想要的。请将角色管理员的所有资源移动到/Manage/并配置模式<url-pattern>/Manage/*</url-pattern>