我只是将其添加到JBOSS服务器上的web.xml中。但这没有效果。我仍然可以连接到不使用双向证书交换的端口。有人有想法吗?
<!-- Force SSL for entire site as described here: http://wiki.metawerx.net/wiki/ForcingSSLForSectionsOfYourWebsite -->
<security-constraint>
<!-- defines resources to be protected (in this case everything)-->
<web-resource-collection>
<!-- name for the resource, can be anything you like -->
<!-- Question: is this referenced anywhere else? -->
<web-resource-name>
Entire Application
</web-resource-name>
<!-- protect the entire application -->
<url-pattern>
/*
</url-pattern>
</web-resource-collection>
<!-- defines protection level for protected resource -->
<user-data-constraint>
<!-- data cannot be observed or changed -->
<!-- how it works in tomcat: -->
<!-- if (set to integral or confidential && not using ssl) -->
<!-- redirect sent to client, redirecting them to same url -->
<!-- but using the port defined in the redirect port -->
<!-- attribute in the <Connector> element of server.xml -->
<!-- default is 443, so in other words user is redirected -->
<!-- to same page using ssl. -->
<!-- BUT it is differnt for JBOSS!! See this link: http://wiki.metawerx.net/wiki/ForcingSSLForSectionsOfYourWebsite -->
<transport-guarantee>
CONFIDENTIAL
</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<!-- Client-side SSL certificate based authentication. The cert is passed to the server to authenticate -->
<!-- I am pretty sure that CLIENT-CERT should have a dash NOT an underscore see: http://www.mail-archive.com/tomcat-user@jakarta.apache.org/msg139845.html -->
<!-- CLIENT-CERT uses a client's AND server's certificates. See: http://monduke.com/2006/01/19/the-mysterious-client-cert/ -->
<auth-method>
CLIENT-CERT
</auth-method>
</login-config>
更新资料
实际上,看来我在原始帖子中犯了一个错误。
web.xml确实阻止用户使用http(下面的端口C)连接到Web服务。但是,仍然允许用户连接到不强制用户进行身份验证的端口(端口B)。我认为用户应该能够连接到端口A(它具有
clientAuth="true"),但是我认为人们应该能够连接到端口B(其具有clientAuth="false")。摘录自server.xml
<Connector port="<A>" ... SSLEnabled="true"
...
scheme="https" secure="true" clientAuth="true"
keystoreFile="... .keystore"
keystorePass="pword"
truststoreFile="... .keystore"
truststorePass="pword"
sslProtocol="TLS"/>
<Connector port="<B>" ... SSLEnabled="true"
...
scheme="https" secure="true" clientAuth="false"
keystoreFile="... .keystore"
keystorePass="pword" sslProtocol = "TLS" />
<Connector port="<C>" ...
/>
最佳答案
我假设端口<C>是HTTP,并且由于您已配置<transport-guarantee> CONFIDENTIAL </transport-guarantee>,因此端口<C>被阻止。
端口<B>确实使用满足<transport-guarantee> CONFIDENTIAL </transport-guarantee>的SSL,因此不会被阻止。
。
您在web.xml配置中缺少一些元素。您的网络资源没有任何授权限制。因此,即使您未通过身份验证也从端口<B>访问时,您仍有权访问资源,因为您没有对资源进行任何身份验证约束。
您需要具有可访问此应用程序的<security-role>的<role-name>列表。<security-constraint>的<web-resource-collection>应该具有<auth-constraint>,告诉要授予访问权限的<role-name>,其他<auth-method>将受到限制。
上面配置的角色是Java EE角色。 需要配置容器(JBoss),以将经过身份验证的角色映射到Java EE角色。
参考:
http://java.sun.com/javaee/5/docs/tutorial/doc/bncbe.html
http://community.jboss.org/wiki/RoleMappingLoginModule
。
上面web.xml的更新副本
<!-- Force SSL for entire site as described here: http://wiki.metawerx.net/wiki/ForcingSSLForSectionsOfYourWebsite -->
<security-constraint>
<!-- defines resources to be protected (in this case everything)-->
<web-resource-collection>
<!-- name for the resource, can be anything you like -->
<!-- Question: is this referenced anywhere else? -->
<web-resource-name>
Entire Application
</web-resource-name>
<!-- protect the entire application -->
<url-pattern>
/*
</url-pattern>
</web-resource-collection>
<auth-constraint>
<description>Authorized Roles</description>
<role-name>ALL_AUTHENTICATED</role-name>
</auth-constraint>
<!-- defines protection level for protected resource -->
<user-data-constraint>
<!-- data cannot be observed or changed -->
<!-- how it works in tomcat: -->
<!-- if (set to integral or confidential && not using ssl) -->
<!-- redirect sent to client, redirecting them to same url -->
<!-- but using the port defined in the redirect port -->
<!-- attribute in the <Connector> element of server.xml -->
<!-- default is 443, so in other words user is redirected -->
<!-- to same page using ssl. -->
<!-- BUT it is differnt for JBOSS!! See this link: http://wiki.metawerx.net/wiki/ForcingSSLForSectionsOfYourWebsite -->
<transport-guarantee>
CONFIDENTIAL
</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<!-- Client-side SSL certificate based authentication. The cert is passed to the server to authenticate -->
<!-- I am pretty sure that CLIENT-CERT should have a dash NOT an underscore see: http://www.mail-archive.com/tomcat-user@jakarta.apache.org/msg139845.html -->
<!-- CLIENT-CERT uses a client's AND server's certificates. See: http://monduke.com/2006/01/19/the-mysterious-client-cert/ -->
<auth-method>
CLIENT-CERT
</auth-method>
</login-config>
<security-role>
<description>All authenticated users</description>
<role-name>ALL_AUTHENTICATED</role-name>
</security-role>
。
在安全方面,有两件事,即身份验证和授权。
身份验证:验证用户是主题并授予用户某些主体的行为; “你是谁。”
授权:验证允许用户访问特定资源的行为; “你会怎么做。”
<auth-constraint>告诉您如何验证用户身份或如何询问您的身份。如果用户没有客户端证书,则他是未经身份验证的用户。它没有告诉用户可以做什么。但是,您可以执行
<auth-constraint>。如果您输入ojit_code,那么只有其中提到的角色可以访问相应的Web资源。如果资源不限于证书角色,您仍然可以拥有未经身份验证但有权访问某些资源的用户。