对JBoss web.xml的更改无效 [英] Changes to JBoss web.xml have no effect
问题描述
我刚刚将其添加到JBOSS服务器上的web.xml中.但这没有效果.我仍然可以连接到不使用双向证书交换的端口.有人有主意吗?
I just added this to my web.xml on my JBOSS server. But it had no effect. I am still allowed to connect to ports that do not use bi-directional certificate exchange. Anyone have an ideas?
<!-- Force SSL for entire site as described here: http://wiki.metawerx.net/wiki/ForcingSSLForSectionsOfYourWebsite -->
<security-constraint>
<!-- defines resources to be protected (in this case everything)-->
<web-resource-collection>
<!-- name for the resource, can be anything you like -->
<!-- Question: is this referenced anywhere else? -->
<web-resource-name>
Entire Application
</web-resource-name>
<!-- protect the entire application -->
<url-pattern>
/*
</url-pattern>
</web-resource-collection>
<!-- defines protection level for protected resource -->
<user-data-constraint>
<!-- data cannot be observed or changed -->
<!-- how it works in tomcat: -->
<!-- if (set to integral or confidential && not using ssl) -->
<!-- redirect sent to client, redirecting them to same url -->
<!-- but using the port defined in the redirect port -->
<!-- attribute in the <Connector> element of server.xml -->
<!-- default is 443, so in other words user is redirected -->
<!-- to same page using ssl. -->
<!-- BUT it is differnt for JBOSS!! See this link: http://wiki.metawerx.net/wiki/ForcingSSLForSectionsOfYourWebsite -->
<transport-guarantee>
CONFIDENTIAL
</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<!-- Client-side SSL certificate based authentication. The cert is passed to the server to authenticate -->
<!-- I am pretty sure that CLIENT-CERT should have a dash NOT an underscore see: http://www.mail-archive.com/tomcat-user@jakarta.apache.org/msg139845.html -->
<!-- CLIENT-CERT uses a client's AND server's certificates. See: http://monduke.com/2006/01/19/the-mysterious-client-cert/ -->
<auth-method>
CLIENT-CERT
</auth-method>
</login-config>
更新
实际上,我似乎在原始帖子中犯了一个错误.
Update
Actually it appears that I have made an error in my original posting.
web.xml确实阻止用户使用http(下面的端口C)连接到Web服务.但是,仍然允许用户连接到不强制用户进行身份验证的端口(端口B).我认为用户应该能够连接到端口A(它具有clientAuth="true"),但是我认为人们不应该能够连接到端口B(它具有clientAuth="false").
The web.xml does block users from connecting to the webservice using http (port C below). However users are still allowed to connect to ports that do not force users to authenticate themselves (port B). I think that users should be able to connect to port A (it has clientAuth="true") but I dont think that people should be able to connect to port B (it has clientAuth="false").
server.xml的摘录
Excerpt from server.xml
<Connector port="<A>" ... SSLEnabled="true"
...
scheme="https" secure="true" clientAuth="true"
keystoreFile="... .keystore"
keystorePass="pword"
truststoreFile="... .keystore"
truststorePass="pword"
sslProtocol="TLS"/>
<Connector port="<B>" ... SSLEnabled="true"
...
scheme="https" secure="true" clientAuth="false"
keystoreFile="... .keystore"
keystorePass="pword" sslProtocol = "TLS" />
<Connector port="<C>" ...
/>
推荐答案
我假设端口<C>是HTTP,并且由于您已经配置了<transport-guarantee> CONFIDENTIAL </transport-guarantee>,因此端口<C>被阻止了.
I assume port <C> is HTTP and since you have configured <transport-guarantee> CONFIDENTIAL </transport-guarantee> hence port <C> is blocked.
端口<B>确实使用满足<transport-guarantee> CONFIDENTIAL </transport-guarantee>要求的SSL,因此不会被阻止.
Port <B> does uses SSL which satisfies <transport-guarantee> CONFIDENTIAL </transport-guarantee> hence it is not blocked.
.
您在web.xml配置中缺少一些元素.您的网络资源没有任何授权限制.因此,当您从端口<B>访问时,即使您没有经过身份验证,您也仍然有权访问资源,因为您没有对资源进行任何身份验证约束.
You are missing few elements in your web.xml configuration. You don't have any authorization constraints on your web resources. Hence when you access from port <B> even though you are not authneticated you are still authorized to access the resources as you have not put any auth-constraints on your resourses.
您需要具有包含可以访问此应用程序的<role-name>的<security-role>列表.
You need to have list of <security-role> containing <role-name> that can access this application.
<security-constraint>应该具有<auth-constraint>告诉要访问的<role-name>,其他将受到限制.
<security-constraint> for <web-resource-collection> should have <auth-constraint> telling which <role-name> to give access to and others will be restricted.
上面配置的角色是Java EE角色. 需要将容器(JBoss)配置为将经过身份验证的角色映射到Java EE角色.
The roles configured above are Java EE roles. The container (JBoss) needs to be configured to map authenticated roles to Java EE roles.
参考:
http://java.sun.com/javaee /5/docs/tutorial/doc/bncbe.html
http://community.jboss.org/wiki/RoleMappingLoginModule
.
上述web.xml的更新副本
<!-- Force SSL for entire site as described here: http://wiki.metawerx.net/wiki/ForcingSSLForSectionsOfYourWebsite -->
<security-constraint>
<!-- defines resources to be protected (in this case everything)-->
<web-resource-collection>
<!-- name for the resource, can be anything you like -->
<!-- Question: is this referenced anywhere else? -->
<web-resource-name>
Entire Application
</web-resource-name>
<!-- protect the entire application -->
<url-pattern>
/*
</url-pattern>
</web-resource-collection>
<auth-constraint>
<description>Authorized Roles</description>
<role-name>ALL_AUTHENTICATED</role-name>
</auth-constraint>
<!-- defines protection level for protected resource -->
<user-data-constraint>
<!-- data cannot be observed or changed -->
<!-- how it works in tomcat: -->
<!-- if (set to integral or confidential && not using ssl) -->
<!-- redirect sent to client, redirecting them to same url -->
<!-- but using the port defined in the redirect port -->
<!-- attribute in the <Connector> element of server.xml -->
<!-- default is 443, so in other words user is redirected -->
<!-- to same page using ssl. -->
<!-- BUT it is differnt for JBOSS!! See this link: http://wiki.metawerx.net/wiki/ForcingSSLForSectionsOfYourWebsite -->
<transport-guarantee>
CONFIDENTIAL
</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<!-- Client-side SSL certificate based authentication. The cert is passed to the server to authenticate -->
<!-- I am pretty sure that CLIENT-CERT should have a dash NOT an underscore see: http://www.mail-archive.com/tomcat-user@jakarta.apache.org/msg139845.html -->
<!-- CLIENT-CERT uses a client's AND server's certificates. See: http://monduke.com/2006/01/19/the-mysterious-client-cert/ -->
<auth-method>
CLIENT-CERT
</auth-method>
</login-config>
<security-role>
<description>All authenticated users</description>
<role-name>ALL_AUTHENTICATED</role-name>
</security-role>
.
在安全性方面,有两件事,即身份验证和授权.
In security there are two things, authentication and authorization.
身份验证:验证用户是主题并授予用户某些委托人的行为; 你是谁."
Authentication: the act of verifying that a user is a subject and granting the user certain principals; "who you are."
授权:验证是否允许用户访问特定资源的行为; 你会怎么做."
Authorization: the act of verifying that a user is allowed to access a certain resource; "what you may do."
<auth-method>告诉您如何验证用户身份或如何询问您的身份.如果用户没有客户端证书,则他是未经身份验证的用户.它没有告诉用户可以做什么.
<auth-method> tell how to authenticate a user or how to ask who you are. If user does not have client certificate, he is unauthenticated user. It does not tell what user can do.
但是<auth-constraint>是您可能会做的.如果放置<auth-constraint>,则只有其中提到的角色可以访问相应的Web资源.如果资源不限于证书角色,您仍然可以拥有未经身份验证但有权访问某些资源的用户.
However <auth-constraint> is what you may do. If you put <auth-constraint>, then only roles mentioned in there can access the respective web resource. You could still have user who is not authenticated but is authorized to access certain resources if resources are not constrainted to certian roles.
这篇关于对JBoss web.xml的更改无效的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
