如何以编程方式设置 在Servlets 3.x中?

问题描述 投票:16回答:3

在我当前的Web应用程序中,我试图摆脱web.xml,但我无法正确设置强制所有对应用程序的请求使用HTTPS的安全性约束。

<security-constraint>
  <web-resource-collection>
     <web-resource-name>all</web-resource-name>
     <url-pattern>/*</url-pattern>
  </web-resource-collection>
  <user-data-constraint>
     <transport-guarantee>CONFIDENTIAL</transport-guarantee>
  </user-data-constraint>
</security-constraint>

如何在具有相同功能的Servlet 3.x配置代码中打开上面的web.xml配置片段?

UPDATE

我希望约束条件适用于应用程序中的每个servlet,过滤器和静态资源,到目前为止,我在网上看到的示例都显示了将安全约束条件附加到servlet,但是我希望将安全约束条件附加到Web应用程序。在上面的xml代码段中,您看到它没有引用任何特定的servlet

java servlets servlet-3.0
3个回答
11
投票

我相信您正在寻找@ServletSecurity批注

@WebServlet(urlPatterns = "/*")
@ServletSecurity(value = @HttpConstraint(transportGuarantee = TransportGuarantee.CONFIDENTIAL))
public class SomeServlet extends HttpServlet { ... }

或在ServletRegistration中使用ServletContainerInitializer(或您可以访问ServletContext的任何地方]

ServletRegistration.Dynamic dynamic = context.addServlet("someServlet", SomeServlet.class);
dynamic.addMapping("/*");
HttpConstraintElement httpConstraintElement = new HttpConstraintElement(TransportGuarantee.CONFIDENTIAL);
ServletSecurityElement servletSecurityElement = new ServletSecurityElement(httpConstraintElement);
dynamic.setServletSecurity(servletSecurityElement);
0
投票

我能够通过配置glassfish域安全性来为项目执行此操作:

  1. 创建一个新的安全域,在此示例中称为:FooRealm
  2. 将带有密码的用户添加到FooRealm
  3. 将每个用户添加到“ GroupFoo”

涵盖了您的glassfish配置,这是您的web.xml:

<security-constraint>
    <display-name>SecurityConstraint</display-name>
    <web-resource-collection>
        <web-resource-name>Everything</web-resource-name>
        <description>Everything</description>
        <url-pattern>/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
        <description>UserAuthenticationConstraint</description>
        <role-name>GroupFoo</role-name>
    </auth-constraint>
</security-constraint>
<login-config>
    <auth-method>FORM</auth-method>
    <realm-name>FooRealm</realm-name>
    <form-login-config>
        <form-login-page>/Login.jsp</form-login-page>
        <form-error-page>/LoginError.html</form-error-page>
    </form-login-config>
</login-config>
0
投票

如果您将其部署到JBoss或WildFly(基于Undertow的服务器)之后,则有解决方案。

将ServletContainerInitializer或WebApplicationInitializer添加到您的项目中。

[onStartup(Set<Class<?>> c, ServletContext ctx)onStartup(ServletContext ctx)

io.undertow.servlet.spec.ServletContextImpl servletContextImpl = (ServletContextImpl) ctx;
io.undertow.servlet.api.Deployment deployment = (DeploymentImpl) servletContextImpl.getDeployment();
DeploymentInfo deploymentInfo = deployment.getDeploymentInfo();
deploymentInfo.addSecurityConstraint(Servlets.securityConstraint()
                    .addRoleAllowed("*")
                    .addWebResourceCollections(Servlets.webResourceCollection().addUrlPattern("/*")));

//auth-mode 
deploymentInfo.setLoginConfig(Servlets.loginConfig("BASIC", null));
//deploymentInfo.setLoginConfig(Servlets.loginConfig("SPNEGO", "SPNEGO"));

deploymentInfo.addSecurityRole("*");
deploymentInfo.setSecurityDisabled(false);

....
 //ur Servlets go here
 ServletRegistration.Dynamic servlet = ctx.addServlet("rwtServlet", "org.eclipse.rap.rwt.engine.RWTServlet");

 servlet.addMapping("/rap");

 ctx.addListener("org.eclipse.rap.rwt.engine.RWTServletContextListener");

[note:确保添加undertow-servlet作为编译时间与时间的依赖关系

<dependency>
    <groupId>io.undertow</groupId>
    <artifactId>undertow-servlet</artifactId>
    <version>2.0.30.Final</version>
</dependency>
最新问题
© www.soinside.com 2019 - 2024. All rights reserved.