我正在尝试在我支持的非常古老的 J2EE 应用程序上启用 SSL。该应用程序在 WebSpehre 6.1 中运行。我在运行应用程序的 WAS 配置文件中启用了应用程序安全性,但下面的 web.xml 配置仍然允许用户使用 HTTP 或 HTTPS 访问站点。
我尝试了几种不同的 url 模式,但似乎都不起作用:
/*
/jsp/*
/gatewayRMIWEB/*
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN" "http://java.sun.com/dtd/web-app_2_3.dtd">
<web-app id="WebApp">
<display-name>gatewayRMIWEB</display-name>
<filter>
<filter-name>LoginFilter</filter-name>
<display-name>LoginFilter</display-name>
<filter-class>com.dc.gateway.servlet.LoginFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>LoginFilter</filter-name>
<url-pattern>/jsp/*</url-pattern>
</filter-mapping>
<servlet>
<servlet-name>GatewayClient</servlet-name>
<display-name>GatewayClient</display-name>
<servlet-class>com.dc.gateway.servlet.GatewayClient</servlet-class>
<init-param>
<param-name>log4j-init-file</param-name>
<param-value>/WEB-INF/logger.lcf</param-value>
</init-param>
</servlet>
<servlet>
<servlet-name>SecurityCheck</servlet-name>
<display-name>SecurityCheck</display-name>
<servlet-class>com.dc.gateway.servlet.SecurityCheck</servlet-class>
</servlet>
<servlet>
<servlet-name>Logoff</servlet-name>
<display-name>Logoff</display-name>
<servlet-class>com.dc.gateway.servlet.Logoff</servlet-class>
</servlet>
<servlet>
<servlet-name>Settings</servlet-name>
<display-name>Settings</display-name>
<servlet-class>com.dc.gateway.servlet.Settings</servlet-class>
</servlet>
<servlet>
<servlet-name>changepassword</servlet-name>
<display-name>changepassword</display-name>
<servlet-class>com.dc.gateway.servlet.changepassword</servlet-class>
</servlet>
<servlet>
<servlet-name>subdetailupdate</servlet-name>
<display-name>subdetailupdate</display-name>
<servlet-class>com.dc.gateway.servlet.subdetailupdate</servlet-class>
</servlet>
<servlet>
<servlet-name>subscriberdelete</servlet-name>
<display-name>subscriberdelete</display-name>
<servlet-class>com.dc.gateway.servlet.subscriberdelete</servlet-class>
</servlet>
<servlet>
<servlet-name>subscriberdetailedit</servlet-name>
<display-name>subscriberdetailedit</display-name>
<servlet-class>com.dc.gateway.servlet.subscriberdetailedit</servlet-class>
</servlet>
<servlet>
<servlet-name>subscriberedit</servlet-name>
<display-name>subscriberedit</display-name>
<servlet-class>com.dc.gateway.servlet.subscriberedit</servlet-class>
</servlet>
<servlet>
<servlet-name>subscribernew</servlet-name>
<display-name>subscribernew</display-name>
<servlet-class>com.dc.gateway.servlet.subscribernew</servlet-class>
</servlet>
<servlet>
<servlet-name>TrnlogPurge</servlet-name>
<display-name>TrnlogPurge</display-name>
<servlet-class>com.dc.gateway.servlet.TrnlogPurge</servlet-class>
</servlet>
<servlet>
<servlet-name>As400Pool</servlet-name>
<display-name>As400Pool</display-name>
<servlet-class>com.dc.gateway.servlet.As400Pool</servlet-class>
</servlet>
<servlet>
<servlet-name>Resubmit</servlet-name>
<display-name>Resubmit</display-name>
<servlet-class>com.dc.gateway.servlet.Resubmit</servlet-class>
</servlet>
<servlet>
<servlet-name>SearchPrepare</servlet-name>
<display-name>SearchPrepare</display-name>
<servlet-class>com.dc.gateway.servlet.SearchPrepare</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>GatewayClient</servlet-name>
<url-pattern>/GatewayClient</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>SecurityCheck</servlet-name>
<url-pattern>/SecurityCheck</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>Logoff</servlet-name>
<url-pattern>/Logoff</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>Settings</servlet-name>
<url-pattern>/Settings</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>changepassword</servlet-name>
<url-pattern>/changepassword</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>subdetailupdate</servlet-name>
<url-pattern>/subdetailupdate</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>subscriberdelete</servlet-name>
<url-pattern>/subscriberdelete</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>subscriberdetailedit</servlet-name>
<url-pattern>/subscriberdetailedit</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>subscriberedit</servlet-name>
<url-pattern>/subscriberedit</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>subscribernew</servlet-name>
<url-pattern>/subscribernew</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>TrnlogPurge</servlet-name>
<url-pattern>/TrnlogPurge</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>As400Pool</servlet-name>
<url-pattern>/As400Pool</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>Resubmit</servlet-name>
<url-pattern>/Resubmit</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>SearchPrepare</servlet-name>
<url-pattern>/SearchPrepare</url-pattern>
</servlet-mapping>
<welcome-file-list>
<welcome-file>jsp/login.jsp</welcome-file>
</welcome-file-list>
<resource-ref id="ResourceRef_1084824065465">
<res-ref-name>jdbc/cg</res-ref-name>
<res-type>javax.sql.DataSource</res-type>
<res-auth>Container</res-auth>
<res-sharing-scope>Shareable</res-sharing-scope>
</resource-ref>
<env-entry>
<description>soft-coded datasource jndi name</description>
<env-entry-name>datasource-jndi-cms</env-entry-name>
<env-entry-value>jdbc/cg</env-entry-value>
<env-entry-type>java.lang.String</env-entry-type>
</env-entry>
<env-entry>
<description>soft-coded datasource jndi name</description>
<env-entry-name>datasource-jndi-erp</env-entry-name>
<env-entry-value>jdbc/erp</env-entry-value>
<env-entry-type>java.lang.String</env-entry-type>
</env-entry>
<security-constraint>
<display-name>gatewayRMIWEB</display-name>
<web-resource-collection>
<web-resource-name>allresources</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
</web-app>
最佳答案
如果你想保护整个应用程序,下面的模式应该可以做到:
<url-pattern>/*</url-pattern>
至少这适用于我的 8.5.5
<security-constraint>
<display-name>allApp</display-name>
<web-resource-collection>
<web-resource-name>allresources</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
您是否在启用应用程序安全性后重新启动了服务器?
关于jakarta-ee - Websphere:未强制执行 web.xml 中的安全约束,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/25796283/