jsf安全傳輸機制

Question

我一直在研究一個簡單的jsf安全傳輸機制，其中配置的https約束在web.xml中設置爲機密。現在，我想要做的是選擇一個特定的頁面進行安全傳輸。我有一個登錄頁面，帶我到另一個頁面。登錄頁面需要用戶名和密碼，並且應該通過安全層將其傳輸到ejb，以驗證其真實性，然後顯示所請求的頁面。現在，當我使用/ faces/pageToView.xhtml在web.xml中請求的頁面，我得到一個有趣的行爲，我真的不明白。首先，當我登錄時，我的pageToView.xhtml顯示沒有https和當我點擊去另一個pageToView2.xhtml我的首先使用https重新顯示pageToView.xhtml。不僅我導航到的所有其他頁面都顯示https，即使我沒有將它們配置爲安全傳輸。我需要知道爲特定頁面配置安全傳輸行爲的正確方法。提前致謝。

Answer 1

它似乎是，當你去https，你通常會在登錄頁面上這樣做，你留在https上。對於安全需求有限的應用程序來說，我認爲這是一個很大的開銷，但在研究它時，共識是大的風險是會話劫持。因此，如果您有2個安全頁面登錄&購物和所有其他頁面不使用ssl，他們將通過空中/電匯發送會話cookie，並且cookie可能被嗅探。

我認爲如果你有一個面向你的應用服務器的apache web服務器，你有更多的選擇，比如在客戶端瀏覽器和apache之間使用https來訪問某些頁面，但是在apache和應用服務器之間使用http。我相當確信你可以做到這一點，但我不是專家，也沒有嘗試過。

前段時間我在研究這個問題時，我遇到了Glassfish團隊編寫的這個過濾器，該團隊應該從https-http降級。我的回憶是，當與集裝箱安全結合使用時，所有停運的東西都停止了工作。

通過一些調整，您可以將其調整爲適合您的環境，在本例中，main.xhtml文件是web.xml中的歡迎文件，其想法是，這將成爲登錄成功時加載的頁面，因此最早指向從https - http降級的點。您需要取消註釋@WebServlet，使用您自己的日誌記錄代替Log.log（）並檢查任何url /路徑名。

在花費任何時間在此之前，請記住，我永遠不可能得到這個工作，並建議採取衝擊和使用https所有的時間。

package uk.co.sportquest.jsfbeans.helper; 

/* 
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER. 
* 
* Copyright 1997-2008 Sun Microsystems, Inc. All rights reserved. 
* 
* The contents of this file are subject to the terms of either the GNU General 
* Public License Version 2 only ("GPL") or the Common Development and 
* Distribution License("CDDL") (collectively, the "License"). You may not use 
* this file except in compliance with the License. You can obtain a copy of the 
* License at https://glassfish.dev.java.net/public/CDDL+GPL.html or 
* glassfish/bootstrap/legal/LICENSE.txt. See the License for the specific 
* language governing permissions and limitations under the License. 
* 
* When distributing the software, include this License Header Notice in each 
* file and include the License file at glassfish/bootstrap/legal/LICENSE.txt. 
* Sun designates this particular file as subject to the "Classpath" exception 
* as provided by Sun in the GPL Version 2 section of the License file that 
* accompanied this code. If applicable, add the following below the License 
* Header, with the fields enclosed by brackets [] replaced by your own 
* identifying information: "Portions Copyrighted [year] [name of copyright 
* owner]" 
* 
* Contributor(s): 
* 
* If you wish your version of this file to be governed by only the CDDL or only 
* the GPL Version 2, indicate your decision by adding "[Contributor] elects to 
* include this software in this distribution under the [CDDL or GPL Version 2] 
* license." If you don't indicate a single choice of license, a recipient has 
* the option to distribute your version of this file under either the CDDL, the 
* GPL Version 2 or to extend the choice of license to its licensees as provided 
* above. However, if you add GPL Version 2 code and therefore, elected the GPL 
* Version 2 license, then the option applies only if the new code is made 
* subject to such option by the copyright holder. 
*/ 
import java.io.*; 
import java.util.*; 
import java.security.*; 
import java.util.logging.Logger; 
import javax.faces.context.FacesContext; 
import javax.security.jacc.*; 
import javax.servlet.*; 
import javax.servlet.annotation.WebFilter; 
import javax.servlet.http.*; 
import uk.co.sportquest.general.Log; 

/** 
* Filter that downshifts from https to http if the given request came in over 
* https, but the target resource does not require any confidentiality 
* protection. 
* 
* @author jluehe 
* @author monzillo 
*/ 

//@WebFilter(filterName = "CacheFilterStatic", urlPatterns = {"/faces/secure/main.xhtml"}, 
// dispatcherTypes = {DispatcherType.FORWARD, DispatcherType.ERROR, DispatcherType.REQUEST, DispatcherType.INCLUDE}) 
public class MyFilter implements Filter { 

    private static final CodeSource cs = 
      new CodeSource(null, (java.security.cert.Certificate[]) null); 
    private static final ProtectionDomain pd = 
      new ProtectionDomain(cs, null, null, null); 
// private static final Policy policy = Policy.getPolicy(); 
    private static final Policy policy = Policy.getPolicy(); 
    private static final String httpPort = "8080"; 

    @Override 
    public void init(javax.servlet.FilterConfig filterConfig) 
      throws ServletException { 

     //httpPort = filterConfig.getInitParameter("httpPort"); 
    } 

    @Override 
    @SuppressWarnings("static-access") 
    public void doFilter(ServletRequest req, ServletResponse res, 
      FilterChain filterChain) 
      throws IOException, ServletException { 

     if (req.isSecure()) { 
      HttpServletRequest httpReq = (HttpServletRequest) req; 
      Permission p = new WebUserDataPermission(httpReq); 
      p = new WebUserDataPermission(p.getName(), httpReq.getMethod()); 
      //SQLog.log("Filter: " + httpReq.getRequestURI()); 
      boolean isTransportProtected = policy.implies(pd, p) ? false : true; 
      Log.log(); 
      if (!isTransportProtected) { 
       // Downshift from https to http, by redirecting to the 
       // target resource using http 
       String redirectUrl = "http://" + req.getServerName() + ":" 
         + httpPort + httpReq.getRequestURI(); 
       String queryString = httpReq.getQueryString(); 
       if (queryString != null) { 
        redirectUrl += "?" + queryString; 
       } 
       //redirectUrl = "http://localhost:8080/SportQuest/faces/secure/main.xhtml"; 
       Log.log("url: " + redirectUrl); 
       ((HttpServletResponse) res).sendRedirect(redirectUrl); 
      } else { 
       // Perform normal request processing 
       Log.log("normal"); 
       filterChain.doFilter(req, res); 
      } 
     } else { 
      // Perform normal request processing 
      Log.log("even more normal"); 
      filterChain.doFilter(req, res); 
     } 
    } 

    @Override 
    public void destroy() { 
     // Do nothing 
    } 
}