更改jboss web.xml无效
-
24-09-2019 - |
题
我刚刚将其添加到我的JBOSS服务器上的Web.xml中。但这没有效果。我仍然可以连接到不使用双向证书交换的端口。有人有想法吗?
<!-- Force SSL for entire site as described here: http://wiki.metawerx.net/wiki/ForcingSSLForSectionsOfYourWebsite -->
<security-constraint>
<!-- defines resources to be protected (in this case everything)-->
<web-resource-collection>
<!-- name for the resource, can be anything you like -->
<!-- Question: is this referenced anywhere else? -->
<web-resource-name>
Entire Application
</web-resource-name>
<!-- protect the entire application -->
<url-pattern>
/*
</url-pattern>
</web-resource-collection>
<!-- defines protection level for protected resource -->
<user-data-constraint>
<!-- data cannot be observed or changed -->
<!-- how it works in tomcat: -->
<!-- if (set to integral or confidential && not using ssl) -->
<!-- redirect sent to client, redirecting them to same url -->
<!-- but using the port defined in the redirect port -->
<!-- attribute in the <Connector> element of server.xml -->
<!-- default is 443, so in other words user is redirected -->
<!-- to same page using ssl. -->
<!-- BUT it is differnt for JBOSS!! See this link: http://wiki.metawerx.net/wiki/ForcingSSLForSectionsOfYourWebsite -->
<transport-guarantee>
CONFIDENTIAL
</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<!-- Client-side SSL certificate based authentication. The cert is passed to the server to authenticate -->
<!-- I am pretty sure that CLIENT-CERT should have a dash NOT an underscore see: http://www.mail-archive.com/tomcat-user@jakarta.apache.org/msg139845.html -->
<!-- CLIENT-CERT uses a client's AND server's certificates. See: http://monduke.com/2006/01/19/the-mysterious-client-cert/ -->
<auth-method>
CLIENT-CERT
</auth-method>
</login-config>
更新
实际上,看来我在原始帖子中犯了一个错误。
Web.xml确实使用HTTP(下面的端口C)阻止用户连接到Web服务。但是,仍然允许用户连接到不强迫用户身份验证自己的端口(端口B)。我认为用户应该能够连接到端口A(它具有 clientAuth="true"
)但是我认为人们不应该能够连接到港口B(它有 clientAuth="false"
).
摘录摘自server.xml
<Connector port="<A>" ... SSLEnabled="true"
...
scheme="https" secure="true" clientAuth="true"
keystoreFile="... .keystore"
keystorePass="pword"
truststoreFile="... .keystore"
truststorePass="pword"
sslProtocol="TLS"/>
<Connector port="<B>" ... SSLEnabled="true"
...
scheme="https" secure="true" clientAuth="false"
keystoreFile="... .keystore"
keystorePass="pword" sslProtocol = "TLS" />
<Connector port="<C>" ...
/>
解决方案
我假设端口 <C>
是http,既然您已经配置了 <transport-guarantee> CONFIDENTIAL </transport-guarantee>
因此端口 <C>
被阻止。
港口 <B>
确实使用满足的SSL <transport-guarantee> CONFIDENTIAL </transport-guarantee>
因此,它没有被阻止。
.
您缺少Web.xml配置中的几个元素。您在Web资源上没有任何授权约束。因此,当您从端口访问 <B>
即使您没有认证,您仍被授权访问资源,因为您没有在资源上投入任何身份证明。
您需要有 <security-role>
包含 <role-name>
可以访问此应用程序。
<security-constraint>
为了 <web-resource-collection>
应该有 <auth-constraint>
告诉哪个 <role-name>
允许访问和其他人将受到限制。
上面配置的角色是Java EE角色。 需要将容器(JBOSS)配置为将身份验证的角色映射到Java EE角色。
参考:
http://java.sun.com/javaee/5/docs/tutorial/doc/bncbe.html
http://community.jboss.org/wiki/rolempappingloginmodule
.
更新的web.xml的副本
<!-- Force SSL for entire site as described here: http://wiki.metawerx.net/wiki/ForcingSSLForSectionsOfYourWebsite -->
<security-constraint>
<!-- defines resources to be protected (in this case everything)-->
<web-resource-collection>
<!-- name for the resource, can be anything you like -->
<!-- Question: is this referenced anywhere else? -->
<web-resource-name>
Entire Application
</web-resource-name>
<!-- protect the entire application -->
<url-pattern>
/*
</url-pattern>
</web-resource-collection>
<auth-constraint>
<description>Authorized Roles</description>
<role-name>ALL_AUTHENTICATED</role-name>
</auth-constraint>
<!-- defines protection level for protected resource -->
<user-data-constraint>
<!-- data cannot be observed or changed -->
<!-- how it works in tomcat: -->
<!-- if (set to integral or confidential && not using ssl) -->
<!-- redirect sent to client, redirecting them to same url -->
<!-- but using the port defined in the redirect port -->
<!-- attribute in the <Connector> element of server.xml -->
<!-- default is 443, so in other words user is redirected -->
<!-- to same page using ssl. -->
<!-- BUT it is differnt for JBOSS!! See this link: http://wiki.metawerx.net/wiki/ForcingSSLForSectionsOfYourWebsite -->
<transport-guarantee>
CONFIDENTIAL
</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<!-- Client-side SSL certificate based authentication. The cert is passed to the server to authenticate -->
<!-- I am pretty sure that CLIENT-CERT should have a dash NOT an underscore see: http://www.mail-archive.com/tomcat-user@jakarta.apache.org/msg139845.html -->
<!-- CLIENT-CERT uses a client's AND server's certificates. See: http://monduke.com/2006/01/19/the-mysterious-client-cert/ -->
<auth-method>
CLIENT-CERT
</auth-method>
</login-config>
<security-role>
<description>All authenticated users</description>
<role-name>ALL_AUTHENTICATED</role-name>
</security-role>
.
在安全方面,有两件事:身份验证和授权。
验证: 验证用户是主题并授予用户某些校长的行为; “你是谁。”
授权: 验证用户是否允许访问某个资源的行为; “你可能会做什么。”
<auth-method>
告诉如何身份验证用户或如何询问您是谁。如果用户没有客户端证书,则他是未经验证的用户。它不知道用户可以做什么。
然而 <auth-constraint>
是您可能会做的。如果你放 <auth-constraint>
, ,然后只有在那里提到的角色才能访问相应的Web资源。您仍然可以拥有未经认证但有权访问某些资源的用户,如果不限制资源。
其他提示
自从进行更改以来,您是否重新加载了Web应用程序?