how to bypass through Java EE security roles
Here is the example code from my web.xml
<security-constraint&g开发者_如何学运维t;
<display-name>
change password</display-name>
<web-resource-collection>
<web-resource-name>change password</web-resource-name>
<url-pattern>/ResetPassword.html</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<description>Roles which can access landing page</description>
<role-name>Admin</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
Only user having role "Admin" can access "ResetPassword.html" page.
There is a Java EE API that lets us to test whether current user has access to a specific role or not.
request.isUserInRole("Admin");
My default user "DefUser" is returning false because he has no role assigned and I got 403 error as DefUser cannot asscess "ResetPassword.html" page. Can I make request.isUserInRole("Admin") return true if I login with DefUser? Is there any other way to do it?
I do want to use the security constraints. This is one of the requirements that there could be a user like "DefUser" which should have permission to all pages having no roles assigned to it.
I just want to bypass these security constraints. Is there any way for "DefUser" to access "ResetPassword.html" page?
http://www.imrantariq.com/blog/
Java EE security cannot be by-passed. Otherwise, it would be as useful as a chocolate teapot.
Deploy your application to an application server. Go to the application server's administration and assign your DefUser to the role Admin. If you have other roles, assign your DefUser to those roles as well.
There you go. No bypass required.
Not sure about web.xml, but at least with security annotations on EJBs, if I remember correctly, you can configure each service either to be accessible:
- by any user
- by any authenticated user
- by specific roles
精彩评论