如何在Tomcat + JIRA中启用HSTS(HTTP严格传输安全性)

时间:2015-06-19 14:38:36

标签: tomcat jira

如果有人建议我在Tomcat中启用HSTS(HTTP严格传输安全性)标头,那将非常有用

我的JIRA应用程序在tomcat上运行,前面没有Apache或NGINX。

我想为JIRA应用程序设置HSTS响应头,请建议如何在Tomcat中实现它。

提前致谢。

1 个答案:

答案 0 :(得分:4)

我认为这是你正在寻找的东西。 我是从https://bz.apache.org/bugzilla/attachment.cgi?id=30003&action=edit

取的 
<filter>
    <filter-name>HstsFilter</filter-name>
    <filter-class>org.apache.catalina.filters.HstsFilter</filter-class>
    <init-param>
       <param-name>maxAgeSeconds</param-name>
       <param-value>31536000</param-value>
    </init-param>
    <init-param>
       <param-name>includeSubDomains</param-name>
       <param-value>true</param-value>
    </init-param>
</filter>
<filter-mapping>
    <filter-name>HstsFilter</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>

package org.apache.catalina.filters;

import java.io.IOException;

import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletResponse;

import org.apache.juli.logging.Log;
import org.apache.juli.logging.LogFactory;

public class HstsFilter extends FilterBase {
    private static final String HEADER_NAME = "Strict-Transport-Security";
    private static final String MAX_AGE_DIRECTIVE = "max-age=%s";
    private static final String INCLUDE_SUB_DOMAINS_DIRECTIVE = "includeSubDomains";

    private static final Log log = LogFactory.getLog(HstsFilter.class);

    // The default is "0" like recommended in section 11.2 of RFC 6797
    private int maxAgeSeconds = 0;
    private boolean includeSubDomains = false;

    private String directives;

    public void setMaxAgeSeconds(int maxAgeSeconds) {
        this.maxAgeSeconds = maxAgeSeconds;
    }

    public void setIncludeSubDomains(boolean includeSubDomains) {
        this.includeSubDomains = includeSubDomains;
    }

    @Override
    public void doFilter(ServletRequest request, ServletResponse response,
            FilterChain chain) throws IOException, ServletException {
        chain.doFilter(request, response);

        // Note that the HSTS header must not be included in HTTP responses
        // conveyed over non-secure transport
        if (request.isSecure() && response instanceof HttpServletResponse) {
            HttpServletResponse res = (HttpServletResponse) response;
            res.addHeader(HEADER_NAME, this.directives);
        }
    }

    @SuppressWarnings("boxing")
    @Override
    public void init(FilterConfig filterConfig) throws ServletException {
        super.init(filterConfig);
        if (this.maxAgeSeconds < 0) {
            throw new ServletException(sm.getString(
                    "hsts.invalidParameterValue", this.maxAgeSeconds,
                    "maxAgeSeconds"));
        }
        this.directives = String.format(MAX_AGE_DIRECTIVE, this.maxAgeSeconds);
        if (this.includeSubDomains) {
            this.directives += (" ; " + INCLUDE_SUB_DOMAINS_DIRECTIVE);
        }
    }

    @Override
    protected Log getLogger() {
        return log;
    }
}

检查我已附加的链接上的代码。

相关问题
最新问题