在我当前的Web应用程序中,我试图摆脱web.xml,但我无法正确设置强制所有对应用程序的请求使用HTTPS的安全性约束。
<security-constraint>
<web-resource-collection>
<web-resource-name>all</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
如何在具有相同功能的Servlet 3.x配置代码中打开上面的web.xml配置片段?
UPDATE
我希望约束条件适用于应用程序中的每个servlet,过滤器和静态资源,到目前为止,我在网上看到的示例都显示了将安全约束条件附加到servlet,但是我希望将安全约束条件附加到Web应用程序。在上面的xml代码段中,您看到它没有引用任何特定的servlet
我相信您正在寻找@ServletSecurity
批注
@WebServlet(urlPatterns = "/*")
@ServletSecurity(value = @HttpConstraint(transportGuarantee = TransportGuarantee.CONFIDENTIAL))
public class SomeServlet extends HttpServlet { ... }
或在ServletRegistration
中使用ServletContainerInitializer
(或您可以访问ServletContext
的任何地方]
ServletRegistration.Dynamic dynamic = context.addServlet("someServlet", SomeServlet.class);
dynamic.addMapping("/*");
HttpConstraintElement httpConstraintElement = new HttpConstraintElement(TransportGuarantee.CONFIDENTIAL);
ServletSecurityElement servletSecurityElement = new ServletSecurityElement(httpConstraintElement);
dynamic.setServletSecurity(servletSecurityElement);
我能够通过配置glassfish域安全性来为项目执行此操作:
涵盖了您的glassfish配置,这是您的web.xml:
<security-constraint>
<display-name>SecurityConstraint</display-name>
<web-resource-collection>
<web-resource-name>Everything</web-resource-name>
<description>Everything</description>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<description>UserAuthenticationConstraint</description>
<role-name>GroupFoo</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<realm-name>FooRealm</realm-name>
<form-login-config>
<form-login-page>/Login.jsp</form-login-page>
<form-error-page>/LoginError.html</form-error-page>
</form-login-config>
</login-config>
如果您将其部署到JBoss或WildFly(基于Undertow的服务器)之后,则有解决方案。
将ServletContainerInitializer或WebApplicationInitializer添加到您的项目中。
[onStartup(Set<Class<?>> c, ServletContext ctx)
或onStartup(ServletContext ctx)
io.undertow.servlet.spec.ServletContextImpl servletContextImpl = (ServletContextImpl) ctx;
io.undertow.servlet.api.Deployment deployment = (DeploymentImpl) servletContextImpl.getDeployment();
DeploymentInfo deploymentInfo = deployment.getDeploymentInfo();
deploymentInfo.addSecurityConstraint(Servlets.securityConstraint()
.addRoleAllowed("*")
.addWebResourceCollections(Servlets.webResourceCollection().addUrlPattern("/*")));
//auth-mode
deploymentInfo.setLoginConfig(Servlets.loginConfig("BASIC", null));
//deploymentInfo.setLoginConfig(Servlets.loginConfig("SPNEGO", "SPNEGO"));
deploymentInfo.addSecurityRole("*");
deploymentInfo.setSecurityDisabled(false);
....
//ur Servlets go here
ServletRegistration.Dynamic servlet = ctx.addServlet("rwtServlet", "org.eclipse.rap.rwt.engine.RWTServlet");
servlet.addMapping("/rap");
ctx.addListener("org.eclipse.rap.rwt.engine.RWTServletContextListener");
[note:确保添加undertow-servlet
作为编译时间与时间的依赖关系
<dependency>
<groupId>io.undertow</groupId>
<artifactId>undertow-servlet</artifactId>
<version>2.0.30.Final</version>
</dependency>