我正在使用本地安全过滤器SCMIS安全过滤器,在我们的Web应用程序中,当用户未经过身份验证以访问位于依赖项JAR文件中的Web应用程序时,该过滤器会调用异常java文件。此过滤器在我们的web.xml文件中定义,但我想知道在调用此特定异常时是否可以绕过此安全过滤器,以便我可以将用户重定向到同一Web应用程序中的特定JSP页面?
这是web.xml:
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:web="http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
id="WebApp_ID" version="2.5">
<display-name>SCMIS</display-name>
<filter>
<filter-name>Waffle SecurityFilter</filter-name>
<filter-class>waffle.servlet.NegotiateSecurityFilter</filter-class>
</filter>
<filter>
<display-name>SCMIS Security Filter</display-name>
<filter-name>SCMISSecurityFilter</filter-name>
<filter-class>org.texashealth.scmis.security.Filter</filter-class>
</filter>
<filter>
<display-name>Stripes Filter</display-name>
<filter-name>StripesFilter</filter-name>
<filter-class>net.sourceforge.stripes.controller.StripesFilter</filter-class>
<init-param>
<param-name>ActionResolver.Packages</param-name>
<param-value>org.texashealth.scm.stripes,org.texashealth.scmis.stripes</param-value>
</init-param>
<init-param>
<param-name>Extension.Packages</param-name>
<param-value>org.texashealth.scmis.stripes.ext</param-value>
</init-param>
<init-param>
<param-name>PopulationStrategy.Class</param-name>
<param-value>net.sourceforge.stripes.tag.BeanFirstPopulationStrategy</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>Waffle SecurityFilter</filter-name>
<url-pattern>*.jsp</url-pattern>
<dispatcher>REQUEST</dispatcher>
</filter-mapping>
<filter-mapping>
<filter-name>Waffle SecurityFilter</filter-name>
<url-pattern>*.action</url-pattern>
<dispatcher>REQUEST</dispatcher>
</filter-mapping>
<filter-mapping>
<filter-name>SCMISSecurityFilter</filter-name>
<url-pattern>*.jsp</url-pattern>
<dispatcher>REQUEST</dispatcher>
</filter-mapping>
<filter-mapping>
<filter-name>SCMISSecurityFilter</filter-name>
<url-pattern>*.action</url-pattern>
<dispatcher>REQUEST</dispatcher>
</filter-mapping>
<filter-mapping>
<filter-name>StripesFilter</filter-name>
<url-pattern>*.jsp</url-pattern>
<dispatcher>REQUEST</dispatcher>
<dispatcher>FORWARD</dispatcher>
</filter-mapping>
<filter-mapping>
<filter-name>StripesFilter</filter-name>
<servlet-name>StripesDispatcher</servlet-name>
<dispatcher>REQUEST</dispatcher>
</filter-mapping>
<servlet>
<display-name>Stripes Dispatcher</display-name>
<servlet-name>StripesDispatcher</servlet-name>
<servlet-class>net.sourceforge.stripes.controller.DispatcherServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>StripesDispatcher</servlet-name>
<url-pattern>*.action</url-pattern>
</servlet-mapping>
<error-page>
<exception-type>java.lang.Exception</exception-type>
<location>/error.jsp</location>
</error-page>
<welcome-file-list>
<welcome-file>index.html</welcome-file>
<welcome-file>index.htm</welcome-file>
<welcome-file>index.jsp</welcome-file>
<welcome-file>default.html</welcome-file>
<welcome-file>default.htm</welcome-file>
<welcome-file>default.jsp</welcome-file>
</welcome-file-list>
</web-app>
来自过滤器的JAR中调用的异常方法是:
public UnauthorizedException(final HttpServletResponse response, final String userName) throws IOException {
//response.sendError(HttpServletResponse.SC_UNAUTHORIZED, "User: " + userName.toUpperCase() + " is not authorized to access this resource");
response.sendRedirect("/nau/unAuthorizedUser.jsp");
}
现在我在启动我的本地tomcat服务器时陷入了循环,因为我在安全过滤器中不断尝试验证用户访问Web应用程序,我无法让用户访问unAuthorizedUser.jsp页面
任何帮助/指示将不胜感激。
答案 0 :(得分:1)
现在,您已在*.jsp上映射了安全过滤器,这显然会拦截所有*.jsp个请求,包括unAuthorizedUser.jsp页面。基本上有两种解决方法:
您需要更改过滤器映射,因为它与unAuthorizedUser.jsp请求不匹配。例如,将其更改为/app/*并将所有受限制的页面放在/app文件夹中。
您需要在if上添加额外的request.getRequestURI()支票,以查看是否已请求unAuthorizedUser.jsp,如果是,请跳过授权检查并继续使用过滤器链。