如何在应用程序中为所需页面实现HTTPS?

时间:2011-11-17 09:51:35

标签: java security spring tomcat https

我们正在尝试为我们的应用程序中的某些页面实现HTTPS。因此,我们更改了tomcat server.xml以进行HTTPS调用,如下所示:

<Connector
           port="8080"
           protocol="HTTP/1.1"
           connectionTimeout="20000"
           redirectPort="8443"
           acceptCount="100"
           maxKeepAliveRequests="15"
           SSLEnabled="true"
           scheme="https"
           secure="true"
     clientAuth="false" sslProtocol="TLS"
     keystoreFile="/webapps/test.bin"
           keystorePass="test"/>

在应用程序web.xml中:

<security-constraint>
<web-resource-collection>
<web-resource-name>securedapp</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>

因此,HTTPS正在申请所有网页。如何限制所需网页的HTTPS。

帮助将不胜感激。

3 个答案:

答案 0 :(得分:4)

Spring Security Interceptor有一个参数requires-channel。将此参数设置为https以对与拦截器匹配的url模式强制执行。

<beans xmlns="http://www.springframework.org/schema/beans" xmlns:security="http://www.springframework.org/schema/security" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:util="http://www.springframework.org/schema/util" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
            http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.4.xsd
            http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd">

   <security:http>
       <security:intercept-url pattern="/login" access="permitAll"
           requires-channel="https"/>
   </security:http> 

</bean>

答案 1 :(得分:2)

创建以下类

public class RestHttpRequestFilter implements Filter {

   public void destroy() {

   }

   public void doFilter(ServletRequest servletRequest,
                ServletResponse servletResponse, FilterChain filterChain)
                throws IOException, ServletException {
     // if the ServletRequest is an instance of HttpServletRequest
     if (servletRequest instanceof HttpServletRequest) {
        HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
            System.out.println(httpServletRequest.getRequestURL());
            if (httpServletRequest.getRequestURL().toString().contains("/user/account")
                        && servletRequest.getProtocol().contains("HTTP")) {
                    throw new ResourceNotFoundException(
                            "The url should be HTTPS");
           }
       filterChain.doFilter(httpServletRequest, servletResponse);
     } else {
           // otherwise, continue on in the chain with the ServletRequest and
           // ServletResponse objects
           filterChain.doFilter(servletRequest, servletResponse);
     }  
     return;
   }

   public void init(FilterConfig filterConfig) throws ServletException {}

}

web.xml条目

    <filter>
        <filter-name>simpleFilter</filter-name>
        <filter-class>RestHttpRequestFilter</filter-class>
    </filter>

    <filter-mapping>
        <filter-name>simpleFilter</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>

答案 2 :(得分:1)

简单的解决方案是使用HttpFilter来检查协议和URL模式,并决定是将转发转发给应用程序还是抛出异常,导致用户看到错误页面。

相关问题
最新问题