我的Web应用程序中有一个web.xml,其中包含类似于以下内容的安全约束。
<security-constraint>
<web-resource-collection>
<web-resource-name>Application</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
<http-method>PUT</http-method>
<http-method>DELETE</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<security-role>
<description>Any logged in user can access this application.</description>
<role-name>*</role-name>
</security-role>
这将允许任何登录用户访问该应用程序。有没有办法允许任何用户访问该应用程序,除非他们有某个角色?
这样的事情:
<security-constraint>
<web-resource-collection>
<web-resource-name>Application</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
<http-method>PUT</http-method>
<http-method>DELETE</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
<exclude-role>
<role-name>exclude</role-name>
</exclude-role>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<security-role>
<description>Any logged in user can access this application.</description>
<role-name>*</role-name>
</security-role>
<security-role>
<description>Except for users with this role.</description>
<role-name>exclude</role-name>
</security-role>
我可以列出应该具有访问权限的每个角色,但是有很多角色,而且我们不断添加应该也可以访问此应用程序的新角色,所以我需要一种方法来排除一个角色
答案 0 :(得分:0)
您可以使用过滤器:
在以下链接中详细说明
访问http://www.avajava.com/tutorials/lessons/what-is-a-filter-and-how-do-i-use-it.html