JavaEE 安全性,访问受限页面:注销的用户被正确重定向。登录用户不是
我的应用程序是一个 Java EE 6 应用程序,在 Glassfish 3.0.1 上运行。
我正在使用 Java EE 安全性和 JDBC 领域。所以我对我的一些网页添加了限制。 我将以下登录配置和安全约束添加到我的 web.xml 中:
<!-- Redirect access of restricted pages to index.jsp -->
<login-config>
<auth-method>FORM</auth-method>
<realm-name>jdbc</realm-name>
<form-login-config>
<form-login-page>/index.jsp?login=login</form-login-page>
<form-error-page>/index.jsp?login=error</form-error-page>
</form-login-config>
</login-config>
<!-- Restrict access for deanery related resources -->
<security-constraint>
<display-name>Deanery Constraint</display-name>
<web-resource-collection>
<web-resource-name>Deanery Content</web-resource-name>
<description />
<url-pattern>/deanery/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<description />
<role-name>DEANERY</role-name>
</auth-constraint>
</security-constraint>
如果用户注销,这可以正常工作。如果他尝试访问 /deanery/ 中的页面,他会被重定向到 index.jsp(它会重定向到 jsf)。
当用户登录并获得正确的角色时,他可以成功访问受限资源。所以直到这里一切都很好。
现在的问题是:当权限较低的用户(在我的示例中是学生)登录应用程序并尝试访问受限页面时,他不会被重定向到我的 web.xml 中配置的错误页面。相反,他看到的是一个丑陋的 Glassfish 403 页面:
HTTP 状态 403 - 对请求的资源的访问已被拒绝
不幸的是,似乎没有选项可以捕获我的 自定义异常处理程序。它甚至没有显示在我的 server.log 中(尽管我切换到了最好的级别)。
我该怎么做才能将用户重定向到我的错误页面,而不是显示 403 页面?为什么用户没有像注销时那样重定向到index.jsp???
编辑:
只是尝试将带有相应代码的错误页面添加到我的 web.xml 中。
<error-page>
<error-code>403</error-code>
<location>/index.jsp?login=login</location>
</error-page>
没有效果,仍然是 Glassfish 错误页面而不是我自己的。
My app is a Java EE 6 application, running on Glassfish 3.0.1.
I'm using Java EE Security, with a JDBC Realm. So i added restrictions to some of my web pages.
I added the following login-config and security-constraint to my web.xml:
<!-- Redirect access of restricted pages to index.jsp -->
<login-config>
<auth-method>FORM</auth-method>
<realm-name>jdbc</realm-name>
<form-login-config>
<form-login-page>/index.jsp?login=login</form-login-page>
<form-error-page>/index.jsp?login=error</form-error-page>
</form-login-config>
</login-config>
<!-- Restrict access for deanery related resources -->
<security-constraint>
<display-name>Deanery Constraint</display-name>
<web-resource-collection>
<web-resource-name>Deanery Content</web-resource-name>
<description />
<url-pattern>/deanery/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<description />
<role-name>DEANERY</role-name>
</auth-constraint>
</security-constraint>
This works fine if a user is logged out. If he tries to access a page in /deanery/, he is redirected to the index.jsp (which redirects to jsf).
When a user logs in, getting the right role, he can successfully access the restricted resources. So everything is fine until here.
Now the problem: When a user with lesser rights (in my example a student) logs into the application, and tries to access a restricted page, he is NOT redirected to the error-page thats configured in my web.xml. Instead, he is shown an ugly Glassfish 403 page:
HTTP Status 403 - Access to the requested resource has been denied
Unfortunately, there seems no option to catch the exception in my CustomExceptionHandler. It even isn't shown in my server.log (although i switched to the finest level).
What can i do so the user is redirected to my error page, instead of displaying the 403 page? Why isn't the user redirected to the index.jsp, as he is when he is logged out???
EDIT:
Just tried to add an error-page with the corresponding code to my web.xml.
<error-page>
<error-code>403</error-code>
<location>/index.jsp?login=login</location>
</error-page>
No effect, still the Glassfish error-page instead of my own.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
我只是 javaEE 的新手,但我认为问题在于,当用户未经授权时,容器会在 401 HTTP 错误之后重定向用户。 403 错误意味着它知道用户名/密码,但不适合该资源。
所以我会尝试为这个 403 错误编写一个过滤器并手动重定向。或者,如果可能的话,您应该向学生隐藏此页面的链接。
I am just a newbie in javaEE but I think the problem is that the container redirects the users just after a 401 HTTP error, when he is not authorized. 403 Error means the it knows the username/pwd but it is not suitable for that resource.
So I would try to write a filter for this 403 error and redirect manually. Or you should hide the link to this page to students if this is possible.
尝试将 403 错误重定向到与 index.jsp 不同的页面,该页面将显示错误消息。
Try 403 error redirect to different page than index.jsp that will display error message.