5

我刚刚将它添加到我的 JBOSS 服务器上的 web.xml 中。但它没有任何效果。我仍然可以连接到不使用双向证书交换的端口。有人有想法吗?

<!-- Force SSL for entire site as described here: http://wiki.metawerx.net/wiki/ForcingSSLForSectionsOfYourWebsite -->
<security-constraint>

        <!-- defines resources to be protected (in this case everything)-->
        <web-resource-collection>
                <!-- name for the resource, can be anything you like -->
                <!-- Question: is this referenced anywhere else? -->
                <web-resource-name>
                        Entire Application
                </web-resource-name>

                <!-- protect the entire application -->
                <url-pattern>
                        /*
                </url-pattern>
        </web-resource-collection>



        <!-- defines protection level for protected resource -->
        <user-data-constraint>
                <!-- data cannot be observed or changed                                 -->
                <!-- how it works in tomcat:                                            -->
                <!--    if (set to integral or confidential && not using ssl)           -->
                <!--            redirect sent to client, redirecting them to same url   -->
                <!--            but using the port defined in the redirect port         -->
                <!--            attribute in the <Connector> element of server.xml      -->
                <!--            default is 443, so in other words user is redirected    -->
                <!--            to same page using ssl.                                 -->
                <!-- BUT it is differnt for JBOSS!!  See this link: http://wiki.metawerx.net/wiki/ForcingSSLForSectionsOfYourWebsite -->
                <transport-guarantee>
                        CONFIDENTIAL
                </transport-guarantee>
        </user-data-constraint>

</security-constraint>

<login-config>

        <!-- Client-side SSL certificate based authentication.  The cert is passed to the server to authenticate -->
        <!-- I am pretty sure that CLIENT-CERT should have a dash NOT an underscore see: http://www.mail-archive.com/tomcat-user@jakarta.apache.org/msg139845.html -->
        <!-- CLIENT-CERT uses a client's AND server's certificates.  See: http://monduke.com/2006/01/19/the-mysterious-client-cert/ -->
        <auth-method>
                CLIENT-CERT
        </auth-method>     
</login-config>

更新

实际上,看来我在原始帖子中犯了一个错误。

web.xml 确实阻止用户使用 http(下面的端口 C)连接到 web 服务。但是,仍然允许用户连接到不强制用户进行身份验证的端口(端口 B)。我认为用户应该能够连接到端口 A(它有clientAuth="true"),但我不认为人们应该能够连接到端口 B(它有clientAuth="false")。

摘自 server.xml

  <Connector port="<A>" ... SSLEnabled="true"
       ...
       scheme="https" secure="true" clientAuth="true"
       keystoreFile="... .keystore"
       keystorePass="pword"
       truststoreFile="... .keystore"
       truststorePass="pword"
       sslProtocol="TLS"/>

  <Connector port="<B>" ... SSLEnabled="true"
       ...
       scheme="https" secure="true" clientAuth="false"
       keystoreFile="... .keystore"
       keystorePass="pword" sslProtocol = "TLS" />


  <Connector port="<C>" ...
     />
4

2 回答 2

1

我假设端口<C>是 HTTP,并且由于您已配置<transport-guarantee> CONFIDENTIAL </transport-guarantee>因此端口<C>被阻止。

端口<B>确实使用满足的 SSL,<transport-guarantee> CONFIDENTIAL </transport-guarantee>因此它不会被阻止。

.

您的 web.xml 配置中缺少一些元素。您的 Web 资源没有任何授权限制。因此,当您从端口访问时,<B>即使您没有经过身份验证,您仍然有权访问资源,因为您没有在资源上放置任何身份验证约束。

您需要拥有可以访问此应用程序的<security-role>包含列表。<role-name>

<security-constraint>因为<web-resource-collection>应该有<auth-constraint>告诉哪些<role-name>人可以访问,而其他人将受到限制。

上面配置的角色是 Java EE 角色。需要将容器 (JBoss) 配置为将经过身份验证的角色映射到 Java EE 角色。

参考:

http://java.sun.com/javaee/5/docs/tutorial/doc/bncbe.html

http://community.jboss.org/wiki/RoleMappingLoginModule

.

以上 web.xml 的更新副本

<!-- Force SSL for entire site as described here: http://wiki.metawerx.net/wiki/ForcingSSLForSectionsOfYourWebsite -->
<security-constraint>

        <!-- defines resources to be protected (in this case everything)-->
        <web-resource-collection>
                <!-- name for the resource, can be anything you like -->
                <!-- Question: is this referenced anywhere else? -->
                <web-resource-name>
                        Entire Application
                </web-resource-name>

                <!-- protect the entire application -->
                <url-pattern>
                        /*
                </url-pattern>
        </web-resource-collection>

        <auth-constraint>
            <description>Authorized Roles</description>
            <role-name>ALL_AUTHENTICATED</role-name>
        </auth-constraint>


        <!-- defines protection level for protected resource -->
        <user-data-constraint>
                <!-- data cannot be observed or changed                                 -->
                <!-- how it works in tomcat:                                            -->
                <!--    if (set to integral or confidential && not using ssl)           -->
                <!--            redirect sent to client, redirecting them to same url   -->
                <!--            but using the port defined in the redirect port         -->
                <!--            attribute in the <Connector> element of server.xml      -->
                <!--            default is 443, so in other words user is redirected    -->
                <!--            to same page using ssl.                                 -->
                <!-- BUT it is differnt for JBOSS!!  See this link: http://wiki.metawerx.net/wiki/ForcingSSLForSectionsOfYourWebsite -->
                <transport-guarantee>
                        CONFIDENTIAL
                </transport-guarantee>
        </user-data-constraint>

</security-constraint>

<login-config>

        <!-- Client-side SSL certificate based authentication.  The cert is passed to the server to authenticate -->
        <!-- I am pretty sure that CLIENT-CERT should have a dash NOT an underscore see: http://www.mail-archive.com/tomcat-user@jakarta.apache.org/msg139845.html -->
        <!-- CLIENT-CERT uses a client's AND server's certificates.  See: http://monduke.com/2006/01/19/the-mysterious-client-cert/ -->
        <auth-method>
                CLIENT-CERT
        </auth-method>     
</login-config>
<security-role>
    <description>All authenticated users</description>
    <role-name>ALL_AUTHENTICATED</role-name>
</security-role>

.

在安全方面有两件事,身份验证和授权。

身份验证:验证用户是否为主体并授予用户某些主体的行为;“你是谁。”

授权:验证用户是否被允许访问某个资源的行为;“你可以做什么。”

<auth-method>告诉如何验证用户或如何询问您是谁。如果用户没有客户端证书,则他是未经身份验证的用户。它没有告诉用户可以做什么。

然而<auth-constraint>,这是你可以做的。如果放<auth-constraint>,则只有其中提到的角色才能访问相应的 Web 资源。如果资源不受某些角色的限制,您仍然可以拥有未经身份验证但有权访问某些资源的用户。

于 2010-03-10T16:37:48.747 回答
1

进行更改后,您是否重新加载了 Web 应用程序?

于 2010-03-04T20:14:34.063 回答