18

在我当前的 Web 应用程序中,我试图摆脱 web.xml,但我无法正确设置强制对应用程序的所有请求使用 HTTPS 的安全约束。

<security-constraint>
  <web-resource-collection>
     <web-resource-name>all</web-resource-name>
     <url-pattern>/*</url-pattern>
  </web-resource-collection>
  <user-data-constraint>
     <transport-guarantee>CONFIDENTIAL</transport-guarantee>
  </user-data-constraint>
</security-constraint>

我怎样才能在 servlet 3.x 配置代码中打开上面的 web.xml 配置片段来做同样的事情?

更新

我希望约束应用于应用程序中的每个 servlet、过滤器和静态资源,到目前为止我在网上看到的示例显示将安全约束附加到 servlet,但我希望将安全约束附加到 Web 应用程序。在上面的 xml 片段中,您会看到它没有引用任何特定的 servlet

4

3 回答 3

13

我相信你正在寻找@ServletSecurity注释

@WebServlet(urlPatterns = "/*")
@ServletSecurity(value = @HttpConstraint(transportGuarantee = TransportGuarantee.CONFIDENTIAL))
public class SomeServlet extends HttpServlet { ... }

或使用ServletRegistrationin a ServletContainerInitializer(或您可以访问 a 的任何地方ServletContext

ServletRegistration.Dynamic dynamic = context.addServlet("someServlet", SomeServlet.class);
dynamic.addMapping("/*");
HttpConstraintElement httpConstraintElement = new HttpConstraintElement(TransportGuarantee.CONFIDENTIAL);
ServletSecurityElement servletSecurityElement = new ServletSecurityElement(httpConstraintElement);
dynamic.setServletSecurity(servletSecurityElement);
于 2013-10-10T14:03:54.747 回答
0

通过配置 glassfish 域安全性,我能够为一个项目做到这一点:

  1. 创建一个新的安全域,在本例中称之为:FooRealm
  2. 将用户 w(或 w/o)密码添加到 FooRealm
  3. 将每个用户添加到“GroupFoo”

这涵盖了您的 glassfish 配置,这是您的 web.xml:

<security-constraint>
    <display-name>SecurityConstraint</display-name>
    <web-resource-collection>
        <web-resource-name>Everything</web-resource-name>
        <description>Everything</description>
        <url-pattern>/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
        <description>UserAuthenticationConstraint</description>
        <role-name>GroupFoo</role-name>
    </auth-constraint>
</security-constraint>
<login-config>
    <auth-method>FORM</auth-method>
    <realm-name>FooRealm</realm-name>
    <form-login-config>
        <form-login-page>/Login.jsp</form-login-page>
        <form-error-page>/LoginError.html</form-error-page>
    </form-login-config>
</login-config>
于 2013-10-31T17:17:19.467 回答
0

如果您在部署到 JBoss 或 WildFly(基于 Undertow 的服务器)之后有一个解决方案。

将 ServletContainerInitializer 或 WebApplicationInitializer 添加到您的项目中。

onStartup(Set<Class<?>> c, ServletContext ctx)或者onStartup(ServletContext ctx)

io.undertow.servlet.spec.ServletContextImpl servletContextImpl = (ServletContextImpl) ctx;
io.undertow.servlet.api.Deployment deployment = (DeploymentImpl) servletContextImpl.getDeployment();
DeploymentInfo deploymentInfo = deployment.getDeploymentInfo();
deploymentInfo.addSecurityConstraint(Servlets.securityConstraint()
                    .addRoleAllowed("*")
                    .addWebResourceCollections(Servlets.webResourceCollection().addUrlPattern("/*")));

//auth-mode 
deploymentInfo.setLoginConfig(Servlets.loginConfig("BASIC", null));
//deploymentInfo.setLoginConfig(Servlets.loginConfig("SPNEGO", "SPNEGO"));

deploymentInfo.addSecurityRole("*");
deploymentInfo.setSecurityDisabled(false);

....
 //ur Servlets go here
 ServletRegistration.Dynamic servlet = ctx.addServlet("rwtServlet", "org.eclipse.rap.rwt.engine.RWTServlet");

 servlet.addMapping("/rap");

 ctx.addListener("org.eclipse.rap.rwt.engine.RWTServletContextListener");

注意:确保添加undertow-servlet为编译时依赖

<dependency>
    <groupId>io.undertow</groupId>
    <artifactId>undertow-servlet</artifactId>
    <version>2.0.30.Final</version>
</dependency>
于 2020-04-14T17:35:55.873 回答