安全性约束web.xml url-pattern安全性

时间:2013-05-23 09:58:16

标签: apache tomcat struts web.xml security-constraint

我想知道以下配置是否安全:

/ManageXXXX.do/ManageYYYY.do,......所访问的网页应该只能由admin角色访问,每个其他网页都可供所有人使用。

我已经配置了web.xml文件:

     <security-constraint>
        <web-resource-collection>
            <url-pattern>/Manage*</url-pattern>
        </web-resource-collection>
        <auth-constraint>
            <role-name>admin</role-name>    
        </auth-constraint>  
    </security-constraint>

现在我想知道这对于试图超越安全性的人来说是多么可靠。这是否可以阻止我的Manage*页面被未经授权的用户阻止?我想知道这种模式匹配的安全性。

1 个答案:

答案 0 :(得分:1)

来自Servlet API规范: http://www.jcp.org/aboutJava/communityprocess/mrel/jsr154/

SRV.11.2 Specification of Mappings
In the Web application deployment descriptor, the following syntax is used to define
mappings:
• A string beginning with a ‘/’ character and ending with a ‘/*’ suffix is used for path mapping.
• A string beginning with a ‘*.’ prefix is used as an extension mapping.
• A string containing only the ’/’ character indicates the "default" servlet of
the application. In this case the servlet path is the request URI minus the con-
text path and the path info is null.
• All other strings are used for exact matches only.

根据Servlet API规范,模式/Manage*是“仅完全匹配”,它不是您想要的。 请将角色管理员的所有资源移至/Manage/并配置模式<url-pattern>/Manage/*</url-pattern>