当tomcat 8出现liferay时,我收到以下严重消息.
SEVERE [localhost-startStop-1] org.apache.tomcat.util.descriptor.web.SecurityConstraint.findUncoveredHttpMethods For security constraints with URL pattern [/bg/c/portal/protected] only the HTTP methods [POST GET] are covered. All other methods are uncovered.
03-Sep-2015 07:06:00.733 SEVERE [localhost-startStop-1] org.apache.tomcat.util.descriptor.web.SecurityConstraint.findUncoveredHttpMethods For security constraints with URL pattern [/sv/c/portal/protected] only the HTTP methods [POST GET] are covered. All other methods are uncovered.
03-Sep-2015 07:06:00.733 SEVERE [localhost-startStop-1] org.apache.tomcat.util.descriptor.web.SecurityConstraint.findUncoveredHttpMethods For security constraints with URL pattern [/zh/c/portal/protected] only the HTTP methods [POST GET] are covered. All other methods are uncovered.
这对服务器启动没有任何影响,但不确定是什么原因引起的?任何帮助都会非常感激.
我正在使用JSF2.1和Glassfish 3.1.2.
我指定一个安全约束来阻止一切:
<security-constraint>
<web-resource-collection>
<web-resource-name>Secured Content</web-resource-name>
<!-- Block all -->
<url-pattern>/*</url-pattern>
</web-resource-collection>
<!-- only users with at least one of these roles are allowed to access the secured content -->
<auth-constraint>
<role-name>ADMINISTRATOR</role-name>
</auth-constraint>
</security-constraint>
并有另一个允许访问页面和资源的子集:
<security-constraint>
<web-resource-collection>
<web-resource-name>Open Content</web-resource-name>
<!-- Allow subscribe -->
<url-pattern>/subscribe/*</url-pattern>
<url-pattern>/javax.faces.resource/*</url-pattern>
</web-resource-collection>
<!-- No Auth Contraint! -->
</security-constraint>
这很好用.但是,如下
<url-pattern>/javax.faces.resource/*</url-pattern>
允许所有资源的正确方法?
我只是通过查看Facelets注入xhtml的url来做到这一点.这种方法有安全漏洞吗?
谢谢.
使用 Spring for Security,我可以使用以下代码运行程序。
<intercept-url pattern="/web/admin**/**" access="ROLE_ADMIN" requires-channel="https"/>
<intercept-url pattern="/web/**/" access="ROLE_USER,ROLE_ADMIN" requires-channel="https"/>
我目前正在尝试在 web.xml 中执行此操作。使用 JBOSS 部署 .war 文件。下面是我所拥有的,网址模式是导致我出现第一个安全约束问题的原因。这些页面位于,并命名为 /web/adminarchive /web/adminsettings /web/adminstuff 等... Spring 中的上面的代码按照我想要的方式处理它,URL 是 /web/admin**/** 到捕获所有管理页面。我注释掉了 /* 部分,因为我知道它有效,只留下了管理部分。使用该结构不会引发任何错误,它只是根本不提示登录。
<security-constraint>
<web-resource-collection>
<web-resource-name>Name</web-resource-name>
<url-pattern>/web/admin**/**</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>ROLE_ADMIN</role-name>
</auth-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>Name</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>ROLE_USER</role-name>
</auth-constraint>
</security-constraint>