Geek Answers Handbook

Several security restrictions: the latter, excluding previous url patterns

I need to define security restrictions for three different sections of my web application. One for /admin/* , one for /account/* and complex. This last one should match all but the previous url patterns ( /* excluding /admin/* and /account/* ). How to create this restriction?

  <security-constraint> <web-resource-collection> <web-resource-name>AdminPanel</web-resource-name> <url-pattern>/admin/*</url-pattern> </web-resource-collection> <auth-constraint> <role-name>admin</role-name> </auth-constraint> <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint> <security-constraint> <web-resource-collection> <web-resource-name>AccountPanel</web-resource-name> <url-pattern>/account/*</url-pattern> </web-resource-collection> <auth-constraint> <role-name>account</role-name> </auth-constraint> <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint> <security-constraint> <web-resource-collection> <web-resource-name>HTTPSOnly</web-resource-name> <url-pattern>`/* excluding /admin/*, /account/*`</url-pattern> </web-resource-collection> <auth-constraint> <role-name>visitor</role-name> </auth-constraint> <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint>
+4
source share
1 answer

You have three different roles defined specifically. admin, account and visitor.

Your first limitation says that only the administrator role can access resources in / admin / *

Your second limitation says that only an account can access resources in / account / *

At this point (without the third restriction), imagine that the visitor role (or any other role in this case) is trying to access something in the admin and account directories. Because of the first 2 rules, he will not be able to access him. It will have access only to resources outside the administrator and accounting directories.

So, what you want is already achieved with the first 2 restrictions and, in my opinion, you do not need the 3rd restriction.

+1
source

More articles:


All Articles