1
根據Servlet 3.0規範 - 「@ServletSecurity註釋不適用於使用ServletContext接口的addServlet(string,Servlet)方法創建的ServletRegistration創建的url-patterns,除非servlet是由ServletContext的createServlet方法構造的「。以編程方式添加應用於所有servlet的ServletSecurity註釋。爲什麼?
但是,在嘗試使用它時,ServletSecurity註解正在應用於我在ServletContextListener.contextInitialized()方法中添加的所有servlet。
監聽器代碼:
public void contextInitialized(ServletContextEvent e) {
System.out.println(" ContextInitialized -- start");
ServletContext ctx = e.getServletContext();
try {
ServletRegistration.Dynamic sr2 = ctx.addServlet("myServlet2", "com.example.web.MyServlet1");
sr2.addMapping("/myServlet2");
System.out.println("param2 added status : " + sr2.setInitParameter("param2", "value2"));
sr2.setLoadOnStartup(3);
Class<MyServlet1> myServletClass = (Class<MyServlet1>) Class.forName("com.example.web.MyServlet1");
ServletRegistration.Dynamic sr3 = ctx.addServlet("myServlet3", myServletClass);
sr3.addMapping("/myServlet3");
sr3.setLoadOnStartup(2);
System.out.println("param3 added status : " + sr3.setInitParameter("param3", "value3"));
MyServlet1 myServlet4 = ctx.createServlet(myServletClass);
ServletRegistration.Dynamic sr4 = ctx.addServlet("myServlet4", myServlet4);
sr4.addMapping("/myServlet4");
sr4.setLoadOnStartup(1);
System.out.println("param4 added status : " + sr4.setInitParameter("param4", "value4"));
} catch(ClassNotFoundException ex) {
ex.printStackTrace();
}catch(ServletException ex) {
ex.printStackTrace();
}
System.out.println(" ContextInitialized -- finish");
}
註釋在servlet:
@ServletSecurity (
httpMethodConstraints = {
@HttpMethodConstraint(
value="GET",
rolesAllowed = {"sme"},
transportGuarantee = ServletSecurity.TransportGuarantee.NONE// CONFIDENTIAL
),
@HttpMethodConstraint(
value="POST",
rolesAllowed = {"ssme"},
transportGuarantee = ServletSecurity.TransportGuarantee.NONE//CONFIDENTIAL
)
}
)
它要求認證爲他們所有。
任何見解都將有所幫助。
由於 -Vineet
因此@ServletSecurity註釋不應該適用於上述代碼中的「myServlet3」,並且任何對url「/ myServlet3」的請求都應該是不受限制的。但事實並非如此。我在這裏錯過了什麼? – Vineet 2012-07-23 10:42:28