1. web.xml中配置
<security-constraint>
<web-resource-collection>
<web-resource-name>jsp constraint</web-resource-name>
<url-pattern>/pages/*</url-pattern>
<!--<http-method>POST</http-method>-->
<http-method>GET</http-method>
<!--<http-method>HEAD</http-method>-->
<!--<http-method>PUT</http-method>-->
<!--<http-method>DELETE</http-method>-->
<!--<http-method>TRACE</http-method>-->
<!--<http-method>CONNECT</http-method>-->
<!--<http-method>OPTIONS</http-method>-->
</web-resource-collection>
<auth-constraint>
<role-name>manager</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>DIGEST</auth-method>
<realm-name>ServletJsp manager Application</realm-name>
<!--<auth-method>FORM</auth-method>-->
<!--<realm-name>ServletJsp manager Application</realm-name>-->
<!--<form-login-config>-->
<!--<form-login-page>/WEB-INF/pages/chapter15/CheckLogin.jsp</form-login-page>-->
<!--<form-error-page>/WEB-INF/pages/chapter15/CheckError.jsp</form-error-page>-->
<!--</form-login-config>-->
</login-config>
<security-role>
<description>The role that is required to log in to the Manager
Application
</description>
<role-name>manager</role-name>
</security-role>
解释:HTTP GET方法只允许manager角色的用户访问,其他方法不受限制
2. 注解配置(需要与<login-config>配置配合使用)
1)上个配置对应的某个servlet的等价注解配置为:
@SecurityConstraint(httpMethodConstraint=@HttpMethodConstrain(value = "GET", rollsAllowed = "manager"))
注解解释:HTTP GET方法只允许manager角色的用户访问,其他方法不受限制
@SecurityConstraint(httpMethodConstraint=@HttpMethodConstrain(value = "GET"))
注解解释:HTTP GET方法只允许任何角色的用户访问,其他方法不受限制
@SecurityConstraint(value = @HttpConstraint(rollsAllowed = "manager")
注解解释:HTTP方法只允许manager角色的用户访问