tomcat 7.0.6是否已经支持servlet 3.0规范中的SevletSercurity注释?
我试图在tomcat 7.0.6中使用servlet 3.0规范的ServletSecurity注释,但是tomcat服务器似乎不扫描ServletSecurity注释。代码如下,
@WebServlet(name="IndexServlet",urlPatterns={"/index"})
@DeclareRoles("ROLE_ADMIN")
@ServletSecurity(value=@HttpConstraint(rolesAllowed="ROLE_ADMIN"),httpMethodConstraints=@HttpMethodConstraint("GET"))
public class IndexServlet extends HttpServlet {
protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
request.getRequestDispatcher("/WEB-INF/jsp/main.jsp").forward(request, response);
}
}
那么有谁在tomcat 7中成功测试过ServletSecurity注解吗?或者tomcat 7还不支持ServletSecurity注解?
我被这个问题困惑了几天,所以有人能帮我解决吗?任何帮助表示赞赏。
I was tring to use the ServletSecurity annotation of servlet 3.0 specification in the tomcat 7.0.6, but it seems that tomcat server doesn't scan the ServletSecurity annotation. The code is following,
@WebServlet(name="IndexServlet",urlPatterns={"/index"})
@DeclareRoles("ROLE_ADMIN")
@ServletSecurity(value=@HttpConstraint(rolesAllowed="ROLE_ADMIN"),httpMethodConstraints=@HttpMethodConstraint("GET"))
public class IndexServlet extends HttpServlet {
protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
request.getRequestDispatcher("/WEB-INF/jsp/main.jsp").forward(request, response);
}
}
So is there anyone who has tested the ServletSecurity annotation successfully in tomcat 7? Or the tomcat 7 doesn't support the ServletSecurity annotation yet?
I was confused by the problem for few days, so could someone figure it out for me? Any help is appreciated.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
您需要删除
httpMethodConstraints=@HttpMethodConstraint("GET")规范中一个有趣的“功能”是约束是 OR - 而不是 AND。因此,如果您以 GET 方式请求
/index- 安全约束将通过,并且 RolesAllowed 约束将被忽略。像 SecurityFilter [ http://securityfilter.sourceforge.net/ ] 这样的第三方库可能会做得更好与 Servlet 规范提供的约束处理相比。
You need to remove
httpMethodConstraints=@HttpMethodConstraint("GET")An interesting "feature" in the spec is contraints are OR - not AND. So if you are requesting
/indexas a GET - the security constraint passes and the rolesAllowed constraint is ignored.A third party library like SecurityFilter [ http://securityfilter.sourceforge.net/ ] will probably do a better job at constraint handling as compared to what is provided by the Servlet Spec.