request.isuserinrole(“ admin”)也返回对不在角色管理的用户而不是角色用户返回
-
21-09-2019 - |
题
我目前正在尝试Glasshfish V3中的JDBCREALM:我有2个角色用户和管理员。
我有一个基于request.isererinrole(“ admin”)方法的loginservlet,该loginservlet将其重定向到URL(例如 /admin或 /user)。
问题是,当管理员登录时,它返回true,因此将其重定向到 /admin,但他也可以访问 /用户。当用户登录request.isuserinrole(“ admin”)时,也会返回true。 request.isuserinrole(“ nonexistingrole”)返回两个两个。
例如:
request.isuserinrole(“ admin”)+“”“+ request.isuserinrole(“ user”)+“”+ request.isuserinrole(“ nonexistingRole”)
loggedin用户:返回正确的false
loggedin管理员返回true true false
这是我的web.xml的一部分:
<security-constraint>
<display-name>Constraint1</display-name>
<web-resource-collection>
<web-resource-name>adminProtected</web-resource-name>
<description>Administrator restricted area</description>
<url-pattern>/admin/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>ADMIN</role-name>
</auth-constraint>
</security-constraint>
<security-constraint>
<display-name>Constraint2</display-name>
<web-resource-collection>
<web-resource-name>userProtected</web-resource-name>
<description>User restricted area</description>
<url-pattern>/user/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>USER</role-name>
</auth-constraint>
</security-constraint>
<security-constraint>
<display-name>Constraint3</display-name>
<web-resource-collection>
<web-resource-name>LoginServlet</web-resource-name>
<description>All restricted area</description>
<url-pattern>/LoginServlet</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>USER</role-name>
<role-name>ADMIN</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<realm-name>securityJDBC</realm-name>
<form-login-config>
<form-login-page>/login.jsf</form-login-page>
<form-error-page>/login.jsf</form-error-page>
</form-login-config>
</login-config>
<security-role>
<description></description>
<role-name>USER</role-name>
</security-role>
<security-role>
<description></description>
<role-name>ADMIN</role-name>
</security-role>
<servlet>
<description></description>
<display-name>LoginServlet</display-name>
<servlet-name>LoginServlet</servlet-name>
<servlet-class>controllers.LoginServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>LoginServlet</servlet-name>
<url-pattern>/LoginServlet</url-pattern>
</servlet-mapping>
和我的sun-web.xml:
<security-role-mapping>
<role-name>USER</role-name>
<group-name>USER</group-name>
</security-role-mapping>
<security-role-mapping>
<role-name>ADMIN</role-name>
<group-name>ADMIN</group-name>
</security-role-mapping>
谢谢!
解决方案
通过确保“分配组”为空的领域设置来修复它。玻璃鱼会从组表中加载它们。
其他提示
乍一看,您的安全映射看起来不错。您的用户映射怎么样?看起来相同的用户名在用户和管理角色上都映射。
不隶属于 StackOverflow