以下是JSP的安全權限設定:
<security-constraint>
<display-name>ManagerConstraint</display-name>
<web-resource-collection>
<web-resource-name>iBeaconServerPages</web-resource-name>
<description>Pages of iBeacon Project Server</description>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<description/>
<role-name>Manager</role-name>
</auth-constraint>
</security-constraint>
<security-constraint>
<display-name>TicketCheckerConstarint</display-name>
<web-resource-collection>
<web-resource-name>PagesAboutTicketChecker</web-resource-name>
<description>Pages about Ticket Checker</description>
<url-pattern>/welcomePage.jsp</url-pattern>
<url-pattern>/ticketCheckUsers/*</url-pattern>
<url-pattern>/guestFlowMonitor/*</url-pattern>
<url-pattern>/logoutPage.jsp</url-pattern>
</web-resource-collection>
<auth-constraint>
<description/>
<role-name>TicketChecker</role-name>
<role-name>Manager</role-name>
</auth-constraint>
</security-constraint>
可以看到,在根目錄下的所有頁面將限制由Manager存取,而/welcomePage.jsp、/ticketCheckUsers/*、/guestFlowMonitor/*和logoutPage.jsp限制由Manager和TicketChecker存取,以上四個頁面在url匹配時會先在TicketCheckerConstarint的權限設定中被匹配到,所以如果不設Manager的話,Manager將無法存取。<display-name>ManagerConstraint</display-name>
<web-resource-collection>
<web-resource-name>iBeaconServerPages</web-resource-name>
<description>Pages of iBeacon Project Server</description>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<description/>
<role-name>Manager</role-name>
</auth-constraint>
</security-constraint>
<security-constraint>
<display-name>TicketCheckerConstarint</display-name>
<web-resource-collection>
<web-resource-name>PagesAboutTicketChecker</web-resource-name>
<description>Pages about Ticket Checker</description>
<url-pattern>/welcomePage.jsp</url-pattern>
<url-pattern>/ticketCheckUsers/*</url-pattern>
<url-pattern>/guestFlowMonitor/*</url-pattern>
<url-pattern>/logoutPage.jsp</url-pattern>
</web-resource-collection>
<auth-constraint>
<description/>
<role-name>TicketChecker</role-name>
<role-name>Manager</role-name>
</auth-constraint>
</security-constraint>
問題在於:
當我的welcome-file設置如下時:
<welcome-file-list>
<welcome-file>welcomePage.jsp</welcome-file>
</welcome-file-list>
訪問url為 "http://HostIP/專案名稱" 時Manager和TicketChecker都可以成功被攔截下來,打上帳號密碼後成功存取<welcome-file>welcomePage.jsp</welcome-file>
</welcome-file-list>
但如果welcome-file設置如下時:
<welcome-file-list>
<welcome-file>/welcomePage.jsp</welcome-file>
</welcome-file-list>
訪問url為 "http://HostIP/專案名稱" 時Manager和TicketChecker都可以成功被攔截下來,打上帳號密碼後只有Manager可以成功存取,TicketChecker會得到403的錯誤訊息<welcome-file>/welcomePage.jsp</welcome-file>
</welcome-file-list>
令人不解的是,welcomePage.jsp的確是放在專案的目錄之下的,所有照理說在訪問專案根目錄的URL時,welcome-file設成welcomePage.jsp或/welcomePage.jsp應該是沒有差的才對?可能所學太少,原因目前還是不太清楚
沒有留言 :
張貼留言