我一直致力于一个简单的jsf安全传输机制,其中配置的https约束在web.xml中设置为机密。现在,我想要做的是选择一个特定页面进行安全传输。我有一个登录页面,将我带到另一个页面。登录页面采用用户名和密码,并应通过安全层传输到ejb,在显示请求的页面之前验证其真实性。现在我使用像/的网址模式面对/ pageToView.xhtml为web.xml中请求的页面,我得到一个有趣的行为,我真的不明白。首先,当我登录时,我的pageToView.xhtml显示没有https,当我点击转到另一个页面ToView2.xhtml我的第一页ToView.xhtml用https重新显示。不仅我导航到的所有其他页面都显示https,即使我没有为安全传输配置它们。我需要知道为特定页面配置安全传输行为的正确方法。提前致谢。
答案 0 :(得分:0)
它似乎是这样的,当你去https,并且你通常会在登录页面上这样做时,你会继续使用https。在我看来,对于安全性要求有限的应用程序来说,这是一个很大的开销,但在研究它时,共识是大风险是会话劫持。所以如果你有2个安全页面登录&购物和所有其他页面都不使用ssl,他们将通过空中/电报以明文形式发送会话cookie,并且可以嗅探cookie。
我认为,如果您的应用服务器前端有一个apache Web服务器,那么您可以使用更多选项,例如在客户端浏览器和apache之间使用https进行某些页面,但在apache和app服务器之间使用http。我很确定你能做到这一点,但我不是专家,也没有尝试过。
前段时间我正在研究这个问题时,我遇到了一个由Glassfish团队编写的过滤器,它应该从https-http降档。我的回忆是,当与容器安全性结合使用时,降低了所有停止工作的东西。
通过一些调整,您可以将其调整到您的环境中,在此示例中,main.xhtml文件是来自web.xml的欢迎文件,其想法是这将是成功登录时加载的页面所以最早的点从https降价 - http。您需要取消注释@WebServlet,使用您自己的日志记录代替Log.log()并检查任何URL /路径名。
在花费任何时间之前请记住,我永远无法使用此功能,建议一直使用https并使用https。
package uk.co.sportquest.jsfbeans.helper;
/*
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
*
* Copyright 1997-2008 Sun Microsystems, Inc. All rights reserved.
*
* The contents of this file are subject to the terms of either the GNU General
* Public License Version 2 only ("GPL") or the Common Development and
* Distribution License("CDDL") (collectively, the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy of the
* License at https://glassfish.dev.java.net/public/CDDL+GPL.html or
* glassfish/bootstrap/legal/LICENSE.txt. See the License for the specific
* language governing permissions and limitations under the License.
*
* When distributing the software, include this License Header Notice in each
* file and include the License file at glassfish/bootstrap/legal/LICENSE.txt.
* Sun designates this particular file as subject to the "Classpath" exception
* as provided by Sun in the GPL Version 2 section of the License file that
* accompanied this code. If applicable, add the following below the License
* Header, with the fields enclosed by brackets [] replaced by your own
* identifying information: "Portions Copyrighted [year] [name of copyright
* owner]"
*
* Contributor(s):
*
* If you wish your version of this file to be governed by only the CDDL or only
* the GPL Version 2, indicate your decision by adding "[Contributor] elects to
* include this software in this distribution under the [CDDL or GPL Version 2]
* license." If you don't indicate a single choice of license, a recipient has
* the option to distribute your version of this file under either the CDDL, the
* GPL Version 2 or to extend the choice of license to its licensees as provided
* above. However, if you add GPL Version 2 code and therefore, elected the GPL
* Version 2 license, then the option applies only if the new code is made
* subject to such option by the copyright holder.
*/
import java.io.*;
import java.util.*;
import java.security.*;
import java.util.logging.Logger;
import javax.faces.context.FacesContext;
import javax.security.jacc.*;
import javax.servlet.*;
import javax.servlet.annotation.WebFilter;
import javax.servlet.http.*;
import uk.co.sportquest.general.Log;
/**
* Filter that downshifts from https to http if the given request came in over
* https, but the target resource does not require any confidentiality
* protection.
*
* @author jluehe
* @author monzillo
*/
//@WebFilter(filterName = "CacheFilterStatic", urlPatterns = {"/faces/secure/main.xhtml"},
// dispatcherTypes = {DispatcherType.FORWARD, DispatcherType.ERROR, DispatcherType.REQUEST, DispatcherType.INCLUDE})
public class MyFilter implements Filter {
private static final CodeSource cs =
new CodeSource(null, (java.security.cert.Certificate[]) null);
private static final ProtectionDomain pd =
new ProtectionDomain(cs, null, null, null);
// private static final Policy policy = Policy.getPolicy();
private static final Policy policy = Policy.getPolicy();
private static final String httpPort = "8080";
@Override
public void init(javax.servlet.FilterConfig filterConfig)
throws ServletException {
//httpPort = filterConfig.getInitParameter("httpPort");
}
@Override
@SuppressWarnings("static-access")
public void doFilter(ServletRequest req, ServletResponse res,
FilterChain filterChain)
throws IOException, ServletException {
if (req.isSecure()) {
HttpServletRequest httpReq = (HttpServletRequest) req;
Permission p = new WebUserDataPermission(httpReq);
p = new WebUserDataPermission(p.getName(), httpReq.getMethod());
//SQLog.log("Filter: " + httpReq.getRequestURI());
boolean isTransportProtected = policy.implies(pd, p) ? false : true;
Log.log();
if (!isTransportProtected) {
// Downshift from https to http, by redirecting to the
// target resource using http
String redirectUrl = "http://" + req.getServerName() + ":"
+ httpPort + httpReq.getRequestURI();
String queryString = httpReq.getQueryString();
if (queryString != null) {
redirectUrl += "?" + queryString;
}
//redirectUrl = "http://localhost:8080/SportQuest/faces/secure/main.xhtml";
Log.log("url: " + redirectUrl);
((HttpServletResponse) res).sendRedirect(redirectUrl);
} else {
// Perform normal request processing
Log.log("normal");
filterChain.doFilter(req, res);
}
} else {
// Perform normal request processing
Log.log("even more normal");
filterChain.doFilter(req, res);
}
}
@Override
public void destroy() {
// Do nothing
}
}