I have few pages in following structure.
--Project
|---WebContect
|----Admin/ *
|----Author/ *
|----Readonly/ *
|----Index.jsp
I want to restrict the user from accessing Pages under Admin,Author and Readonly. I don't want anybody to access these pages. And if somebody tries to do so, should be redirected to index.jsp.
The easiest solution that come in my mind is using a Filter, but I am trying to find if its possible to do using web.xml.
If you want that nobody is able to access those pages directly, just put them in /WEB-INF folder.
Project
`-- WebContect
|-- WEB-INF
| |-- Admin
| |-- Author
| `-- Readonly
`-- Index.jsp
This way the pages are not publicly accessible, but only by a servlet which performs a forward. When the enduser attempts to access it directly, all he will get is a HTTP 404 error.
An alternative is configuring a role-less <security-constraint>.
<security-constraint>
<display-name>Restrict direct access to certain folders</display-name>
<web-resource-collection>
<web-resource-name>Restricted folders</web-resource-name>
<url-pattern>/Admin/*</url-pattern>
<url-pattern>/Author/*</url-pattern>
<url-pattern>/Readonly/*</url-pattern>
</web-resource-collection>
<auth-constraint />
</security-constraint>
When the enduser attempts to access them, all he will get is a HTTP 403 error.
Either way, it isn't possible to redirect the enduser to index.jsp this way. Only a Filter can do that. You could configure the index.jsp as error page location for 404 or 403
<error-page>
<error-code>404</error-code>
<location>/index.jsp</location>
</error-page>
But this would cover all 404's (or 403's), not sure if that is what you want.
you have try this ? (sample for url mapping)
<security-constraint>
<web-resource-collection>
<web-resource-name>Protected Area</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<--! These are the groups in AD -->
<role-name>Engineering</role-name>
<role-name>Migration Expert</role-name>
<role-name>Developers</role-name>
</auth-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<url-pattern>/update/*</url-pattern>
</web-resource-collection>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>Services Portal</realm-name>
</login-config>
if you want to grand access to pages/folders by role permission you have to have a security-constraint in your web-xml file
<security-constraint>
<web-resource-collection>
<web-resource-name>DESC_OF_FOLDER</web-resource-name>
<url-pattern>/users/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>REGISTERED_USER_ROLE</role-name>
</auth-constraint>
</security-constraint>
The role can be acquired by this code if you are using standard Jaas authentication
if ((request.getUserPrincipal().getName()) != null) {
String userName = request.getUserPrincipal().getName().trim();
.....
if (request.isUserInRole("REGISTERED_USER_ROLE")) {
.....
}
}
Hope this helps
UPDATE
And for the redirection to the login page you should have also something like this in the web.xml
<form-login-config>
<form-login-page>/login.jsp</form-login-page>
<form-error-page>/error.jsp</form-error-page>
</form-login-config>
{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://img.manongdao.com/sparkler-677774__340.jpg', '推荐 叛逆 的文章《How to configure url mapping in web.xml to restric》','https://www.manongdao.com/article-598267.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}