12

相信你们都很好。

我的 Web 应用程序在 tomcat 6.0.43 上运行,并且不要在前面使用 apache 或 nginx。

我已经使用以下命令强制我的网络从 http 重定向到 https:

  1. URL 重定向在 ../webapps/ROOT/index.jsp

<% response.sendRedirect("https://www.epi.com.my/portal/"); %>

  1. ../webapps/myapp/WEB-INF/web.xml
<security-constraint>
<web-resource-collection>
  <web-resource-name>Protected Context</web-resource-name>
     <url-pattern>/*</url-pattern>
 </web-resource-collection>
 <user-data-constraint>
    <transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint></security-constraint>

下面在哪里添加这样的代码

标头添加 Strict-Transport-Security "max-age=15768000"

或者是tomcat没有这个功能吗?或者我需要在我的每个 java web 应用程序控制器中进行修改。

4

6 回答 6

27

如果您能够使用 Tomcat 7 或 8,您可以激活内置的 HSTS 过滤器。取消注释httpHeaderSecurity过滤器定义tomcat/conf/web.xml

<filter>
    <filter-name>httpHeaderSecurity</filter-name>
    <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
    <async-supported>true</async-supported>
</filter>

并添加一个有用的最大年龄参数:

<init-param>
    <param-name>hstsMaxAgeSeconds</param-name>
    <param-value>31536000</param-value>
</init-param>

不要忘记取消注释过滤器映射:

<filter-mapping>
    <filter-name>httpHeaderSecurity</filter-name>
    <url-pattern>/*</url-pattern>
    <dispatcher>REQUEST</dispatcher>
</filter-mapping>
于 2016-03-19T21:05:00.197 回答
18

您可以使用过滤器添加它。将以下代码段添加到 web.xml:

<filter>
    <filter-name>HSTSFilter</filter-name>
    <filter-class>security.HSTSFilter</filter-class>
</filter>

然后在你的 webapp 中创建一个过滤器:

package security;

import java.io.IOException;

import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletResponse;

public class HSTSFilter implements Filter {

    public void doFilter(ServletRequest req, ServletResponse res,
        FilterChain chain) throws IOException, ServletException {
        HttpServletResponse resp = (HttpServletResponse) res;

        if (req.isSecure())
            resp.setHeader("Strict-Transport-Security", "max-age=31622400; includeSubDomains");

        chain.doFilter(req, resp);
    }
}

也可以使用全局 web.xml (conf/web.xml) 添加过滤器。

于 2015-05-26T09:50:25.910 回答
2

使用url-rewrite

  1. 创建一个 url-rewrite 配置文件并将其放入您的 Web 应用程序的WEB-INF/classes目录中
  2. 添加一条规则,将该标头添加到所有请求

请注意,这不是 HSTS 特定的:您可以使用 url-rewrite 做任何您想做的事情。

于 2014-12-18T20:45:07.270 回答
2

  1. 只需在jsp scriptlet标签下的jsp中添加此代码

    <%
    response.setHeader("Strict-Transport-Security" ,"max-age=7776000" );
%>

或者

  1. 如果 JBoss 然后在应用程序的 web.xml 中添加以下标签,也可以添加到服务器

    <system.webServer>
    <httpProtocol>
        <customHeaders>
            <add name="Strict-Transport-Security" value="max-age=31536000"/>
        </customHeaders>
    </httpProtocol>
</system.webServer>

    因为<system.webServer>你必须添加 xmlnsi 否则它会抛出解析异常

或者

  1. 您可以做一件事:在您的应用程序中创建一个过滤器并在 web.xml 中配置该应用程序
于 2017-05-05T11:11:42.657 回答
0

在 %TOMCAT_HOME%\conf 文件夹的 web.xml 中

<!-- ================== Built In Filter Definitions ===================== -->
 
<!-- A filter that sets various security related HTTP Response headers.   -->
<!-- This filter supports the following initialization parameters         -->
<!-- (default values are in square brackets):                             -->
<!--                                                                      -->
<!--   hstsEnabled         Should the HTTP Strict Transport Security      -->
<!--                       (HSTS) header be added to the response? See    -->
<!--                       RFC 6797 for more information on HSTS. [true]  -->
<!--                                                                      -->
<!--   hstsMaxAgeSeconds   The max age value that should be used in the   -->
<!--                       HSTS header. Negative values will be treated   -->
<!--                       as zero. [0]                                   -->
<!--                                                                      -->
<!--   hstsIncludeSubDomains                                              -->
<!--                       Should the includeSubDomains parameter be      -->
<!--                       included in the HSTS header.                   -->
<!--                                                                      -->
<!--   antiClickJackingEnabled                                            -->
<!--                       Should the anti click-jacking header           -->
<!--                       X-Frame-Options be added to every response?    -->
<!--                       [true]                                         -->
<!--                                                                      -->
<!--   antiClickJackingOption                                             -->
<!--                       What value should be used for the header. Must -->
<!--                       be one of DENY, SAMEORIGIN, ALLOW-FROM         -->
<!--                       (case-insensitive). [DENY]                     -->
<!--                                                                      -->
<!--   antiClickJackingUri IF ALLOW-FROM is used, what URI should be      -->
<!--                       allowed? []                                    -->
<!--                                                                      -->
<!--   blockContentTypeSniffingEnabled                                    -->
<!--                       Should the header that blocks content type     -->
<!--                       sniffing be added to every response? [true]    -->
<filter>
  <filter-name>httpHeaderSecurity</filter-name>
  <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
  <async-supported>true</async-supported>
  <init-param>
    <param-name>hstsEnabled</param-name>
    <param-value>true</param-value>
  </init-param>
  <init-param>
    <param-name>hstsMaxAgeSeconds</param-name>
    <param-value>31536000</param-value>
  </init-param>
  <init-param>
    <param-name>hstsIncludeSubDomains</param-name>
    <param-value>true</param-value>
  </init-param>
</filter>
 
<!-- The mapping for the HTTP header security Filter -->
<filter-mapping>
  <filter-name>httpHeaderSecurity</filter-name>
  <url-pattern>/*</url-pattern>
  <dispatcher>REQUEST</dispatcher>
</filter-mapping>
于 2021-06-16T13:48:46.417 回答
-1

如果faizan9689针对 JSP 文件中缺少 HSTS 标头复选标记的解决方案未解决,则添加以下 setHeader 与includeSubDomains此将解决复选标记。

   <%
    response.setHeader("Strict-Transport-Security", "max-age=31536000; includeSubDomains");
   %>
于 2021-05-26T08:57:32.367 回答