1. 首頁
  2. 問答
  3. 忽略蜻蜓安全約束

忽略蜻蜓安全約束

2017-11-25 231 views
6

我試圖在野蠅上獲得一個演示web應用程序。 我在standalone.xml定義這個安全域忽略蜻蜓安全約束

<security-domains> 
       <security-domain name="projects" cache-type="default"> 
        <authentication> 
         <login-module code="Database" flag="required"> 
          <module-option name="dsJndiName" value="java:jboss/datasources/TestDS"/> 
          <module-option name="rolesQuery" value="SELECT role, 'Roles' FROM users WHERE username=?"/> 
          <module-option name="hashAlgorithm" value="MD5"/> 
          <module-option name="hashEncoding" value="hex"/> 
          <module-option name="principalsQuery" value="SELECT password from users WHERE username=?"/> 
         </login-module> 
        </authentication> 
        <authorization> 
         <policy-module code="Database" flag="required"> 
          <module-option name="dsJndiName" value="java:jboss/datasources/school"/> 
          <module-option name="rolesQuery" value="SELECT role, 'Roles' FROM users WHERE username=?"/> 
          <module-option name="hashAlgorithm" value="MD5"/> 
          <module-option name="hashEncoding" value="hex"/> 
          <module-option name="principalsQuery" value="SELECT password from users WHERE username=?"/> 
         </policy-module> 
        </authorization> 
       </security-domain>

那麼WEB-INF下,我已經在web.xml

<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://xmlns.jcp.org/xml/ns/javaee" xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd" id="WebApp_ID" version="3.1"> 

    <security-constraint> 
    <web-resource-collection> 
     <web-resource-name>projects</web-resource-name> 
     <url-pattern>/twp/projects/*</url-pattern> 
     <http-method>POST</http-method> 
     <http-method>GET</http-method> 
     <http-method>PUT</http-method> 
     <http-method>DELETE</http-method> 
    </web-resource-collection> 
    <auth-constraint> 
     <role-name>ADMINISTRATOR</role-name> 
    </auth-constraint> 
    </security-constraint> 

    <login-config> 
    <auth-method>FORM</auth-method> 
    <realm-name>projects</realm-name> 
    <form-login-config> 
     <form-login-page>/login.xhtml</form-login-page> 
     <form-error-page>/error.xhtml</form-error-page> 
    </form-login-config> 
    </login-config> 
    <security-role> 
    <role-name>ADMINISTRATOR</role-name> 
    </security-role> 
    <security-role> 
    <role-name>USER</role-name> 
    </security-role> 
</web-app>

定義此安全costraints並在jboss-此內容web.xml中

<?xml version="1.0" encoding="UTF-8"?> 
<jboss-web> 
    <security-domain>java:/jaas/projects</security-domain> 

</jboss-web>

的問題是,如果我去/項目URL我不是重定向到登錄頁面,如果約束被忽略了。

來源

2017-11-25 Sindico

+0

你已經保護了'/ twp/projects/*'而不是'/ projects' ... –

+0

我試過了,但它不工作 – Sindico

回答

9

隨着你的配置,它工作正常。在控制檯你這是兩行?:

WARN [io.undertow.servlet] (ServerService Thread Pool -- 7) UT015020: Path /twp/projects/* is secured for some HTTP methods, however it is not secured for [TRACE, HEAD, CONNECT, OPTIONS] 
INFO [org.wildfly.extension.undertow] (ServerService Thread Pool -- 7) WFLYUT0021: Registered web context: '/test-1.0-SNAPSHOT' for server 'default-server'

如果沒有,你應該把你的配置到corrent部分中的standalone.xml wildfly

首先意味着該路徑被固定和第二個告訴你重複的Web上下文。

http://localhost:8080/test-1.0-SNAPSHOT/twp/projects下的每個網址都將被保護並重定向到登錄頁面。

例如

http://localhost:8080/test-1.0-SNAPSHOT/twp/projects/all

但不

http://localhost:8080/test-1.0-SNAPSHOT/twp/all

我以urn wildfly 11使用:JBoss的:域:安全性:2.0和不鞘翅。

來源

2017-12-03 09:55:05 ddarellis

相關問題

 相關問題