How to programmatically setup a in Serv

2020-02-13 07:29发布

站内问答 / Java
420 2 2

In my current web application I am trying to get rid of web.xml and I have not been able to properly setup the security constraint that forces all requests to the application to use HTTPS.

<security-constraint>
  <web-resource-collection>
     <web-resource-name>all</web-resource-name>
     <url-pattern>/*</url-pattern>
  </web-resource-collection>
  <user-data-constraint>
     <transport-guarantee>CONFIDENTIAL</transport-guarantee>
  </user-data-constraint>
</security-constraint>

How can I turn the above web.xml configuration snippet in servlet 3.x configuration code that does the same thing?

UPDATE

I want the constraint to apply to every servlet, filter, and static resource in application, the examples I have seen online so far show to attach a security constraint to a servlet, but I want the security constraint attached to the web app. In the xml snippet above you see that it does not reference any specific servlet

2条回答
我想做一个坏孩纸
2楼-- · 2020-02-13 07:48

I was able to do this for a project by configuring the glassfish domain security:

  1. Create a new security domain, in this example call it: FooRealm
  2. Add users w (or w/o) passwords to FooRealm
  3. Add each user to "GroupFoo"

That covers your glassfish config, here is your web.xml:

<security-constraint>
    <display-name>SecurityConstraint</display-name>
    <web-resource-collection>
        <web-resource-name>Everything</web-resource-name>
        <description>Everything</description>
        <url-pattern>/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
        <description>UserAuthenticationConstraint</description>
        <role-name>GroupFoo</role-name>
    </auth-constraint>
</security-constraint>
<login-config>
    <auth-method>FORM</auth-method>
    <realm-name>FooRealm</realm-name>
    <form-login-config>
        <form-login-page>/Login.jsp</form-login-page>
        <form-error-page>/LoginError.html</form-error-page>
    </form-login-config>
</login-config>
查看更多
0人赞 添加讨论(0) 举报
爷的心禁止访问
3楼-- · 2020-02-13 08:01

I believe you are looking for the @ServletSecurity annotation

@WebServlet(urlPatterns = "/*")
@ServletSecurity(value = @HttpConstraint(transportGuarantee = TransportGuarantee.CONFIDENTIAL))
public class SomeServlet extends HttpServlet { ... }

Or with ServletRegistration in a ServletContainerInitializer (or anywhere you have access to a ServletContext)

ServletRegistration.Dynamic dynamic = context.addServlet("someServlet", SomeServlet.class);
dynamic.addMapping("/*");
HttpConstraintElement httpConstraintElement = new HttpConstraintElement(TransportGuarantee.CONFIDENTIAL);
ServletSecurityElement servletSecurityElement = new ServletSecurityElement(httpConstraintElement);
dynamic.setServletSecurity(servletSecurityElement);
查看更多
0人赞 添加讨论(0) 举报
登录 后发表回答
相关问题
查看全部
相关文章
查看全部
收藏的人(2)