java - web.xml security : how to get root unrestricted, 但其他所有限制？

Question

我希望能够不受限制地访问 Web 服务器根目录(欢迎页面)上的文件，但是 - 默认情况下 - 限制访问所有解析到子文件夹的 url。

我遇到的问题是，当使用/或/* 作为限制访问的默认匹配项来限制访问时，根文件夹就不能再不受限制了。在根目录下有默认的“index.html”，我想在访问域名时显示它。任何建议表示赞赏。

顺便说一下，我使用的是 jetty 6.1.6

这是我的 web.xml 文件的片段:

<servlet-mapping>
  <servlet-name>SomeServlet</servlet-name>
  <url-pattern>/servlet1</url-pattern>
</servlet-mapping>

<security-constraint>
  <web-resource-collection>
  <web-resource-name>ForbidDefaultAccess</web-resource-name>
    <url-pattern>/*</url-pattern>
  </web-resource-collection>
  <auth-constraint/>
</security-constraint>

<security-constraint>
  <web-resource-collection>
  <!-- unauthorized -->      
    <web-resource-name>GrantAccess</web-resource-name>
    <url-pattern>/some_dir/*</url-pattern>
    <url-pattern>/servlet1</url-pattern>
    <url-pattern>/</url-pattern>      
  </web-resource-collection>
</security-constraint>

<security-constraint>
  <web-resource-collection>
    <web-resource-name>AuthorizedResources</web-resource-name>
    <url-pattern>/cfg/*</url-pattern>
    <url-pattern>/fileupload/*</url-pattern>
    <url-pattern>/list/*</url-pattern>
    <http-method>GET</http-method>
    <http-method>POST</http-method>
  </web-resource-collection>
  <auth-constraint>
    <role-name>UserRole</role-name>
  </auth-constraint>
</security-constraint>

提前致谢

Answer 1

白名单在 Java J2EE 6 中是可能的

<security-constraint>
    <web-resource-collection>
        <web-resource-name>Disable unneeded HTTP methods by 403 Forbidden them</web-resource-name>
        <url-pattern>*</url-pattern>
        <http-method-omission>GET</http-method-omission>
        <http-method-omission>HEAD</http-method-omission>
        <http-method-omission>POST</http-method-omission>
        </web-resource-collection>
    <auth-constraint />
</security-constraint>

引用:https://blogs.oracle.com/nithya/entry/new_security_features_in_glassfish