javax.faces.webapp.FacesServlet文档中,提到了,Allowable HTTP Methods
The JSF specification only requires the use of the GET and POST http
methods. If your web application does not require any other http
methods,such as PUT and DELETE,please consider restricting the
allowable http methods using the<http-method>and
<http-method-omission>elements. Please see the Security of the Java
Servlet Specification for more information the use of these elements.
我的应用程序确实不依赖于其他HTTP方法(GET和POST除外).因此,我正在尝试使用< http-method> (或< http-method-omission>)排除除GET和POST之外的所有方法.
在web.xml中,JAAS Servlet安全性约束配置如下.
<security-constraint>
<display-name>AdminConstraint</display-name>
<web-resource-collection>
<web-resource-name>ROLE_ADMIN</web-resource-name>
<description/>
<url-pattern>/admin_side/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<description/>
<role-name>ROLE_ADMIN</role-name>
</auth-constraint>
<user-data-constraint>
<description/>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<security-constraint>
<display-name>UserConstraint</display-name>
<web-resource-collection>
<web-resource-name>ROLE_USER</web-resource-name>
<description/>
<url-pattern>/user_side/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<description/>
<role-name>ROLE_USER</role-name>
</auth-constraint>
<user-data-constraint>
<description/>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
使用这些元素,
<http-method>GET</http-method> <http-method>POST</http-method>
我希望不允许所有其他HTTP方法.
但是,GlassFish Server 4.1会在服务器终端上记录以下警告.
Warning: JACC: For the URL pattern
/user_side/*,all but the
following methods were uncovered: POST,GETWarning: JACC: For the URL pattern
/admin_side/*,GET
这是什么意思?
而不是在所有< security-constraint>中完成它.元素,可以全局配置,以便它可以应用于应用程序中的所有资源,并且可以省略除GET和POST HTTP请求之外的所有资源,即全局应用于应用程序 – 可能通过使用更通用的专用URL模式,如/ *?
有一个例子here.
06002
the above element indicates that the resource referenced by the url
pattern /test.jsp,when accessed by all the http-methods except GET,
should be constrained to be viewed only by authenticated users
belonging to the role dev. Please note that the security constraint
does not apply for the http-method GET,but only for the other
methods (POST,HEAD,PUT,etc).
我发现强文中的最后一句令人困惑.这是否意味着使用GET请求,匿名用户也可以访问给定url-pattern中列出的资源,因为它意味着“安全约束不适用于http-method GET”?
解决方法
What does it mean?
这意味着除了GET和POST之外的所有方法都被发现,意味着不受保护.每个人都可以使用PUT和HEAD等方法访问url pattern / user_side / *而无需身份验证.
<security-constraint>
<web-resource-collection>
<web-resource-name>protected</web-resource-name>
<url-pattern>/user_side/*</url-pattern>
<http-method-omission>GET</http-method-omission>
<http-method-omission>POST</http-method-omission>
</web-resource-collection>
<auth-constraint/>
</security-constraint>
如果您使用的是Servlet 3.1,也可以使用较短的标签:
<deny-uncovered-http-methods/>
Also instead of doing it in all elements,can
this be configured globally so that it can be applied to all resources
in an application and that all except GET and POST HTTP requests can
be omitted i.e. applied globally to an application – perhaps by using
a more generalized url-pattern like /*?
是的,这是可能的.您可以使用url-pattern /包含所有子文件夹.
I found the last sentence in strong text confusing. Does it mean that
using a GET request,resources listed in the given url-pattern can
also be accessible by anonymous users because it means to say,“the
security constraint does not apply for the http-method GET”?
你是对的,这意味着匿名用户可以使用GET方法访问给定的url-pattern.所有其他方法都受到保护.
也可以看看:
> security-constraint url-pattern and the * character within web.xml
> Exclude css & image resources in web.xml Security Constraint
