我刚把它添加到我的JBOSS服务器上的web.xml中。但它没有效果。我仍然可以连接到不使用双向证书交换的端口。有人有想法吗?
<!-- Force SSL for entire site as described here: http://wiki.metawerx.net/wiki/ForcingSSLForSectionsOfYourWebsite -->
<security-constraint>
<!-- defines resources to be protected (in this case everything)-->
<web-resource-collection>
<!-- name for the resource, can be anything you like -->
<!-- Question: is this referenced anywhere else? -->
<web-resource-name>
Entire Application
</web-resource-name>
<!-- protect the entire application -->
<url-pattern>
/*
</url-pattern>
</web-resource-collection>
<!-- defines protection level for protected resource -->
<user-data-constraint>
<!-- data cannot be observed or changed -->
<!-- how it works in tomcat: -->
<!-- if (set to integral or confidential && not using ssl) -->
<!-- redirect sent to client, redirecting them to same url -->
<!-- but using the port defined in the redirect port -->
<!-- attribute in the <Connector> element of server.xml -->
<!-- default is 443, so in other words user is redirected -->
<!-- to same page using ssl. -->
<!-- BUT it is differnt for JBOSS!! See this link: http://wiki.metawerx.net/wiki/ForcingSSLForSectionsOfYourWebsite -->
<transport-guarantee>
CONFIDENTIAL
</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<!-- Client-side SSL certificate based authentication. The cert is passed to the server to authenticate -->
<!-- I am pretty sure that CLIENT-CERT should have a dash NOT an underscore see: http://www.mail-archive.com/tomcat-user@jakarta.apache.org/msg139845.html -->
<!-- CLIENT-CERT uses a client's AND server's certificates. See: http://monduke.com/2006/01/19/the-mysterious-client-cert/ -->
<auth-method>
CLIENT-CERT
</auth-method>
</login-config>
实际上我似乎在原始帖子中犯了错误。
web.xml确实阻止用户使用http(下面的端口C)连接到webservice。但是,仍然允许用户连接到不强制用户自己进行身份验证的端口(端口B)。我认为用户应该能够连接到端口A(它有clientAuth="true"),但我不认为人们应该能够连接到端口B(它有clientAuth="false")。
摘自server.xml
<Connector port="<A>" ... SSLEnabled="true"
...
scheme="https" secure="true" clientAuth="true"
keystoreFile="... .keystore"
keystorePass="pword"
truststoreFile="... .keystore"
truststorePass="pword"
sslProtocol="TLS"/>
<Connector port="<B>" ... SSLEnabled="true"
...
scheme="https" secure="true" clientAuth="false"
keystoreFile="... .keystore"
keystorePass="pword" sslProtocol = "TLS" />
<Connector port="<C>" ...
/>
答案 0 :(得分:1)
您是否在进行更改后重新加载了Web应用程序?
答案 1 :(得分:1)
我假设端口<C>是HTTP,因为您已配置<transport-guarantee> CONFIDENTIAL </transport-guarantee>,因此端口<C>被阻止。
端口<B>确实使用满足<transport-guarantee> CONFIDENTIAL </transport-guarantee>的SSL,因此不会被阻止。
您缺少web.xml配置中的少数元素。您的Web资源没有任何授权限制。因此,当您从端口<B>访问时,即使您没有通过身份验证,您仍然有权访问资源,因为您没有对资源进行任何身份验证限制。
您需要拥有可以访问此应用程序的<security-role>包含<role-name>的列表。
<security-constraint>的{{1}} <web-resource-collection>应该<auth-constraint>告诉哪个<role-name>可以访问,其他人将被限制。
上面配置的角色是Java EE角色。 需要配置容器(JBoss)以将经过身份验证的角色映射到Java EE角色。
参考:
http://java.sun.com/javaee/5/docs/tutorial/doc/bncbe.html
http://community.jboss.org/wiki/RoleMappingLoginModule
更新了上述web.xml的副本
<!-- Force SSL for entire site as described here: http://wiki.metawerx.net/wiki/ForcingSSLForSectionsOfYourWebsite -->
<security-constraint>
<!-- defines resources to be protected (in this case everything)-->
<web-resource-collection>
<!-- name for the resource, can be anything you like -->
<!-- Question: is this referenced anywhere else? -->
<web-resource-name>
Entire Application
</web-resource-name>
<!-- protect the entire application -->
<url-pattern>
/*
</url-pattern>
</web-resource-collection>
<auth-constraint>
<description>Authorized Roles</description>
<role-name>ALL_AUTHENTICATED</role-name>
</auth-constraint>
<!-- defines protection level for protected resource -->
<user-data-constraint>
<!-- data cannot be observed or changed -->
<!-- how it works in tomcat: -->
<!-- if (set to integral or confidential && not using ssl) -->
<!-- redirect sent to client, redirecting them to same url -->
<!-- but using the port defined in the redirect port -->
<!-- attribute in the <Connector> element of server.xml -->
<!-- default is 443, so in other words user is redirected -->
<!-- to same page using ssl. -->
<!-- BUT it is differnt for JBOSS!! See this link: http://wiki.metawerx.net/wiki/ForcingSSLForSectionsOfYourWebsite -->
<transport-guarantee>
CONFIDENTIAL
</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<!-- Client-side SSL certificate based authentication. The cert is passed to the server to authenticate -->
<!-- I am pretty sure that CLIENT-CERT should have a dash NOT an underscore see: http://www.mail-archive.com/tomcat-user@jakarta.apache.org/msg139845.html -->
<!-- CLIENT-CERT uses a client's AND server's certificates. See: http://monduke.com/2006/01/19/the-mysterious-client-cert/ -->
<auth-method>
CLIENT-CERT
</auth-method>
</login-config>
<security-role>
<description>All authenticated users</description>
<role-name>ALL_AUTHENTICATED</role-name>
</security-role>
在安全性方面,有两件事,即身份验证和授权。
身份验证:验证用户是主题并授予用户某些主体的行为; “你是谁。”
授权:验证用户是否可以访问某个资源的行为; “你可以做什么。”
<auth-method>告诉您如何对用户进行身份验证或如何询问您的身份。如果用户没有客户端证书,则他是未经身份验证的用户。它没有说明用户可以做什么。
但是<auth-constraint>是你可以做的。如果您放置<auth-constraint>,那么只有那里提到的角色可以访问相应的Web资源。如果资源不受限于certian角色,您仍然可以拥有未经过身份验证但有权访问某些资源的用户。