six*_*ude 5 java jboss tomcat web-services web.xml
我刚把它添加到我的JBOSS服务器上的web.xml中.但它没有效果.我仍然可以连接到不使用双向证书交换的端口.有人有想法吗?
<!-- Force SSL for entire site as described here: http://wiki.metawerx.net/wiki/ForcingSSLForSectionsOfYourWebsite -->
<security-constraint>
<!-- defines resources to be protected (in this case everything)-->
<web-resource-collection>
<!-- name for the resource, can be anything you like -->
<!-- Question: is this referenced anywhere else? -->
<web-resource-name>
Entire Application
</web-resource-name>
<!-- protect the entire application -->
<url-pattern>
/*
</url-pattern>
</web-resource-collection>
<!-- defines protection level for protected resource -->
<user-data-constraint>
<!-- data cannot be observed or changed -->
<!-- how it works in tomcat: -->
<!-- if (set to integral or confidential && not using ssl) -->
<!-- redirect sent to client, redirecting them to same url -->
<!-- but using the port defined in the redirect port -->
<!-- attribute in the <Connector> element of server.xml -->
<!-- default is 443, so in other words user is redirected -->
<!-- to same page using ssl. -->
<!-- BUT it is differnt for JBOSS!! See this link: http://wiki.metawerx.net/wiki/ForcingSSLForSectionsOfYourWebsite -->
<transport-guarantee>
CONFIDENTIAL
</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<!-- Client-side SSL certificate based authentication. The cert is passed to the server to authenticate -->
<!-- I am pretty sure that CLIENT-CERT should have a dash NOT an underscore see: http://www.mail-archive.com/tomcat-user@jakarta.apache.org/msg139845.html -->
<!-- CLIENT-CERT uses a client's AND server's certificates. See: http://monduke.com/2006/01/19/the-mysterious-client-cert/ -->
<auth-method>
CLIENT-CERT
</auth-method>
</login-config>
实际上我似乎在原始帖子中犯了错误.
web.xml确实阻止用户使用http(下面的端口C)连接到webservice.但是,仍然允许用户连接到不强制用户自己进行身份验证的端口(端口B).我认为用户应该能够连接到端口A(它有clientAuth="true"),但我不认为人们应该能够连接到端口B(它有clientAuth="false").
摘自server.xml
<Connector port="<A>" ... SSLEnabled="true"
...
scheme="https" secure="true" clientAuth="true"
keystoreFile="... .keystore"
keystorePass="pword"
truststoreFile="... .keystore"
truststorePass="pword"
sslProtocol="TLS"/>
<Connector port="<B>" ... SSLEnabled="true"
...
scheme="https" secure="true" clientAuth="false"
keystoreFile="... .keystore"
keystorePass="pword" sslProtocol = "TLS" />
<Connector port="<C>" ...
/>
我假设端口<C>是 HTTP,并且由于您已配置,<transport-guarantee> CONFIDENTIAL </transport-guarantee>因此端口<C>被阻止。
端口<B>确实使用了 SSL,<transport-guarantee> CONFIDENTIAL </transport-guarantee>因此它不会被阻止。
。
您的 web.xml 配置中缺少一些元素。您的网络资源没有任何授权限制。因此,当您从端口访问时,<B>即使您没有经过身份验证,您仍然有权访问资源,因为您没有对资源施加任何身份验证约束。
您需要拥有可以访问此应用程序的<security-role>包含列表。<role-name>
<security-constraint>因为<web-resource-collection>应该<auth-constraint>告诉哪些人<role-name>可以访问,而其他人将受到限制。
上面配置的角色是Java EE角色。需要配置容器 (JBoss) 以将经过身份验证的角色映射到 Java EE 角色。
参考:
http://java.sun.com/javaee/5/docs/tutorial/doc/bncbe.html
http://community.jboss.org/wiki/RoleMappingLoginModule
。
更新了上述 web.xml 的副本
<!-- Force SSL for entire site as described here: http://wiki.metawerx.net/wiki/ForcingSSLForSectionsOfYourWebsite -->
<security-constraint>
<!-- defines resources to be protected (in this case everything)-->
<web-resource-collection>
<!-- name for the resource, can be anything you like -->
<!-- Question: is this referenced anywhere else? -->
<web-resource-name>
Entire Application
</web-resource-name>
<!-- protect the entire application -->
<url-pattern>
/*
</url-pattern>
</web-resource-collection>
<auth-constraint>
<description>Authorized Roles</description>
<role-name>ALL_AUTHENTICATED</role-name>
</auth-constraint>
<!-- defines protection level for protected resource -->
<user-data-constraint>
<!-- data cannot be observed or changed -->
<!-- how it works in tomcat: -->
<!-- if (set to integral or confidential && not using ssl) -->
<!-- redirect sent to client, redirecting them to same url -->
<!-- but using the port defined in the redirect port -->
<!-- attribute in the <Connector> element of server.xml -->
<!-- default is 443, so in other words user is redirected -->
<!-- to same page using ssl. -->
<!-- BUT it is differnt for JBOSS!! See this link: http://wiki.metawerx.net/wiki/ForcingSSLForSectionsOfYourWebsite -->
<transport-guarantee>
CONFIDENTIAL
</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<!-- Client-side SSL certificate based authentication. The cert is passed to the server to authenticate -->
<!-- I am pretty sure that CLIENT-CERT should have a dash NOT an underscore see: http://www.mail-archive.com/tomcat-user@jakarta.apache.org/msg139845.html -->
<!-- CLIENT-CERT uses a client's AND server's certificates. See: http://monduke.com/2006/01/19/the-mysterious-client-cert/ -->
<auth-method>
CLIENT-CERT
</auth-method>
</login-config>
<security-role>
<description>All authenticated users</description>
<role-name>ALL_AUTHENTICATED</role-name>
</security-role>
。
安全有两件事:身份验证和授权。
身份验证:验证用户是主体并授予用户某些主体的行为;“你是谁。”
授权:验证用户是否被允许访问某个资源的行为;“你可以做什么。”
<auth-method>讲述如何验证用户身份或如何询问您是谁。如果用户没有客户端证书,则他是未经身份验证的用户。它没有告诉用户可以做什么。
然而<auth-constraint>这是你可以做的。如果输入<auth-constraint>,则只有其中提到的角色可以访问相应的 Web 资源。如果资源不受某些角色的限制,您仍然可以拥有未经身份验证但有权访问某些资源的用户。
| 归档时间: |
|
| 查看次数: |
3043 次 |
| 最近记录: |