【问题标题】:How to implement HTTPS for desired pages in application?如何在应用程序中为所需页面实现 HTTPS?
【发布时间】:2011-12-31 04:41:24
【问题描述】:

我们正在尝试为应用程序中的某些页面实现 HTTPS。因此,我们更改了 tomcat server.xml 以进行 HTTPS 调用,如下所示:

<Connector
           port="8080"
           protocol="HTTP/1.1"
           connectionTimeout="20000"
           redirectPort="8443"
           acceptCount="100"
           maxKeepAliveRequests="15"
           SSLEnabled="true"
           scheme="https"
           secure="true"
     clientAuth="false" sslProtocol="TLS"
     keystoreFile="/webapps/test.bin"
           keystorePass="test"/>

在应用程序 web.xml 中:

<security-constraint>
<web-resource-collection>
<web-resource-name>securedapp</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>

所以,HTTPS 正在申请所有页面。如何限制所需页面的 HTTPS。

我们将不胜感激。

【问题讨论】:

标签: java security spring tomcat https


【解决方案1】:

Spring Security Interceptor 有一个参数requires-channel。将此参数设置为 https 以对匹配拦截器的 url 模式强制执行它。

<beans xmlns="http://www.springframework.org/schema/beans" xmlns:security="http://www.springframework.org/schema/security" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:util="http://www.springframework.org/schema/util" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
            http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.4.xsd
            http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd">

   <security:http>
       <security:intercept-url pattern="/login" access="permitAll"
           requires-channel="https"/>
   </security:http> 

</bean>

【讨论】:

    【解决方案2】:

    创建下面的类

    public class RestHttpRequestFilter implements Filter {
    
       public void destroy() {
    
       }
    
       public void doFilter(ServletRequest servletRequest,
                    ServletResponse servletResponse, FilterChain filterChain)
                    throws IOException, ServletException {
         // if the ServletRequest is an instance of HttpServletRequest
         if (servletRequest instanceof HttpServletRequest) {
            HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
                System.out.println(httpServletRequest.getRequestURL());
                if (httpServletRequest.getRequestURL().toString().contains("/user/account")
                            && servletRequest.getProtocol().contains("HTTP")) {
                        throw new ResourceNotFoundException(
                                "The url should be HTTPS");
               }
           filterChain.doFilter(httpServletRequest, servletResponse);
         } else {
               // otherwise, continue on in the chain with the ServletRequest and
               // ServletResponse objects
               filterChain.doFilter(servletRequest, servletResponse);
         }  
         return;
       }
    
       public void init(FilterConfig filterConfig) throws ServletException {}
    
    }
    

    web.xml 条目

        <filter>
            <filter-name>simpleFilter</filter-name>
            <filter-class>RestHttpRequestFilter</filter-class>
        </filter>
    
        <filter-mapping>
            <filter-name>simpleFilter</filter-name>
            <url-pattern>/*</url-pattern>
        </filter-mapping>
    

    【讨论】:

      【解决方案3】:

      简单的解决方案是使用 HttpFilter 来检查协议和 URL 模式,并决定是将调用转发给应用程序还是抛出会导致用户看到错误页面的异常。

      【讨论】:

      • ok..请您提供详细的解决方案,以便我们了解如何使用httpfilter。
      猜你喜欢
      • 1970-01-01
      • 1970-01-01
      • 2011-02-16
      • 2015-01-22
      • 1970-01-01
      • 1970-01-01
      • 1970-01-01
      • 2019-09-12
      • 1970-01-01
      相关资源
      最近更新 更多