我一直在研究一個簡單的jsf安全傳輸機制,其中配置的https約束在web.xml中設置爲機密。現在,我想要做的是選擇一個特定的頁面進行安全傳輸。我有一個登錄頁面,帶我到另一個頁面。登錄頁面需要用戶名和密碼,並且應該通過安全層將其傳輸到ejb,以驗證其真實性,然後顯示所請求的頁面。現在,當我使用/ faces/pageToView.xhtml在web.xml中請求的頁面,我得到一個有趣的行爲,我真的不明白。首先,當我登錄時,我的pageToView.xhtml顯示沒有https和當我點擊去另一個pageToView2.xhtml我的首先使用https重新顯示pageToView.xhtml。不僅我導航到的所有其他頁面都顯示https,即使我沒有將它們配置爲安全傳輸。我需要知道爲特定頁面配置安全傳輸行爲的正確方法。提前致謝。jsf安全傳輸機制
1
A
回答
0
它似乎是,當你去https,你通常會在登錄頁面上這樣做,你留在https上。對於安全需求有限的應用程序來說,我認爲這是一個很大的開銷,但在研究它時,共識是大的風險是會話劫持。因此,如果您有2個安全頁面登錄&購物和所有其他頁面不使用ssl,他們將通過空中/電匯發送會話cookie,並且cookie可能被嗅探。
我認爲如果你有一個面向你的應用服務器的apache web服務器,你有更多的選擇,比如在客戶端瀏覽器和apache之間使用https來訪問某些頁面,但是在apache和應用服務器之間使用http。我相當確信你可以做到這一點,但我不是專家,也沒有嘗試過。
前段時間我在研究這個問題時,我遇到了Glassfish團隊編寫的這個過濾器,該團隊應該從https-http降級。我的回憶是,當與集裝箱安全結合使用時,所有停運的東西都停止了工作。
通過一些調整,您可以將其調整爲適合您的環境,在本例中,main.xhtml文件是web.xml中的歡迎文件,其想法是,這將成爲登錄成功時加載的頁面,因此最早指向從https - http降級的點。您需要取消註釋@WebServlet,使用您自己的日誌記錄代替Log.log()並檢查任何url /路徑名。
在花費任何時間在此之前,請記住,我永遠不可能得到這個工作,並建議採取衝擊和使用https所有的時間。
package uk.co.sportquest.jsfbeans.helper;
/*
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
*
* Copyright 1997-2008 Sun Microsystems, Inc. All rights reserved.
*
* The contents of this file are subject to the terms of either the GNU General
* Public License Version 2 only ("GPL") or the Common Development and
* Distribution License("CDDL") (collectively, the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy of the
* License at https://glassfish.dev.java.net/public/CDDL+GPL.html or
* glassfish/bootstrap/legal/LICENSE.txt. See the License for the specific
* language governing permissions and limitations under the License.
*
* When distributing the software, include this License Header Notice in each
* file and include the License file at glassfish/bootstrap/legal/LICENSE.txt.
* Sun designates this particular file as subject to the "Classpath" exception
* as provided by Sun in the GPL Version 2 section of the License file that
* accompanied this code. If applicable, add the following below the License
* Header, with the fields enclosed by brackets [] replaced by your own
* identifying information: "Portions Copyrighted [year] [name of copyright
* owner]"
*
* Contributor(s):
*
* If you wish your version of this file to be governed by only the CDDL or only
* the GPL Version 2, indicate your decision by adding "[Contributor] elects to
* include this software in this distribution under the [CDDL or GPL Version 2]
* license." If you don't indicate a single choice of license, a recipient has
* the option to distribute your version of this file under either the CDDL, the
* GPL Version 2 or to extend the choice of license to its licensees as provided
* above. However, if you add GPL Version 2 code and therefore, elected the GPL
* Version 2 license, then the option applies only if the new code is made
* subject to such option by the copyright holder.
*/
import java.io.*;
import java.util.*;
import java.security.*;
import java.util.logging.Logger;
import javax.faces.context.FacesContext;
import javax.security.jacc.*;
import javax.servlet.*;
import javax.servlet.annotation.WebFilter;
import javax.servlet.http.*;
import uk.co.sportquest.general.Log;
/**
* Filter that downshifts from https to http if the given request came in over
* https, but the target resource does not require any confidentiality
* protection.
*
* @author jluehe
* @author monzillo
*/
//@WebFilter(filterName = "CacheFilterStatic", urlPatterns = {"/faces/secure/main.xhtml"},
// dispatcherTypes = {DispatcherType.FORWARD, DispatcherType.ERROR, DispatcherType.REQUEST, DispatcherType.INCLUDE})
public class MyFilter implements Filter {
private static final CodeSource cs =
new CodeSource(null, (java.security.cert.Certificate[]) null);
private static final ProtectionDomain pd =
new ProtectionDomain(cs, null, null, null);
// private static final Policy policy = Policy.getPolicy();
private static final Policy policy = Policy.getPolicy();
private static final String httpPort = "8080";
@Override
public void init(javax.servlet.FilterConfig filterConfig)
throws ServletException {
//httpPort = filterConfig.getInitParameter("httpPort");
}
@Override
@SuppressWarnings("static-access")
public void doFilter(ServletRequest req, ServletResponse res,
FilterChain filterChain)
throws IOException, ServletException {
if (req.isSecure()) {
HttpServletRequest httpReq = (HttpServletRequest) req;
Permission p = new WebUserDataPermission(httpReq);
p = new WebUserDataPermission(p.getName(), httpReq.getMethod());
//SQLog.log("Filter: " + httpReq.getRequestURI());
boolean isTransportProtected = policy.implies(pd, p) ? false : true;
Log.log();
if (!isTransportProtected) {
// Downshift from https to http, by redirecting to the
// target resource using http
String redirectUrl = "http://" + req.getServerName() + ":"
+ httpPort + httpReq.getRequestURI();
String queryString = httpReq.getQueryString();
if (queryString != null) {
redirectUrl += "?" + queryString;
}
//redirectUrl = "http://localhost:8080/SportQuest/faces/secure/main.xhtml";
Log.log("url: " + redirectUrl);
((HttpServletResponse) res).sendRedirect(redirectUrl);
} else {
// Perform normal request processing
Log.log("normal");
filterChain.doFilter(req, res);
}
} else {
// Perform normal request processing
Log.log("even more normal");
filterChain.doFilter(req, res);
}
}
@Override
public void destroy() {
// Do nothing
}
}
相關問題
- 1. WCF傳輸安全
- 2. WCF傳輸安全
- 3. 二進制編碼+傳輸安全(WCF)
- 4. WCF安全傳輸安全問題
- 5. 設置傳輸級安全
- 6. AppFabric緩存傳輸安全
- 7. 安全的數據傳輸
- 8. 安全文件傳輸
- 9. SSL和WCF傳輸安全
- 10. 安全文件傳輸
- 11. graph.facebook.com - 傳輸安全塊
- 12. 如何安全傳輸
- 13. GWTP安全機制澄清
- 14. JSF中的線程安全
- 15. JSF 2.0的安全性(framework?)
- 16. JSF的Acl機制
- 17. Java卡小程序,安全數據傳輸和安全通道
- 18. 應用傳輸安全(ATS)和本地已安全連接
- 19. WCF傳輸安全&& messags安全模式問題
- 20. 通過JSON安全地傳輸數據
- 21. WCF/MSMQ傳輸安全使用證書
- 22. 用於安全傳輸的Bash腳本
- 23. 傳輸層安全性(TLS)示例?
- 24. 應用程序傳輸安全問題
- 25. 如何安全地傳輸文件
- 26. WCF中的傳輸安全性
- 27. WS02 ESB中的安全HL7傳輸?
- 28. 通過網絡傳輸GetBitmapBits(),安全嗎?
- 29. 沒有驗證的WCF傳輸安全
- 30. JSF f:事件可以安全地傳遞參數嗎?
我仍然會以更多的安全功能添加到我的應用程序,但我仍然需要知道如何通過SSL發送的用戶名和密碼,沒有得到有趣的行爲我提到earlier.However我會盡量適應這種過濾器 – khare 2012-07-08 21:39:00