JSF 2.3 f:websocket 加密设置 [英] JSF 2.3 f:websocket encryption setting
问题描述
在我的 Web 应用程序中,加密不是由应用程序服务器进行的,而是由反向代理进行的.我想保持这种状态.相关技术栈如下:
In my web application, the encryption is not made by the application server, but by the reverse proxy. I'd like to keep it that way. The relevant technology stack is the following:
- 应用服务器:payara 5.181 full
- Java EE 8/JSF 2.3;莫哈拉 2.4.0-m01.payara-p5
由于代理加密,应用服务器被配置为不在 web.xml 中使用加密:
Due to the proxy encryption, the appserver is configured to not use encryption within the web.xml:
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
现在,websocket 连接无法与主动代理一起使用,因为它是由客户端以非加密方式 (ws://...) 建立的.当内容已经在 https 中传送时,这会被浏览器阻止.
Now, the websocket connection fails to work with active proxy, because it is beeing established in non-encrypted way (ws://...) by the client. This is blocked by the browser when the content is delivered already in https.
在我的理解中,浏览器和应用程序服务器的行为似乎都是正确的.虽然浏览器避免降级,但 websocket 规范的第 8.3 节传输保证"指出:
In my understanding, both the behaviour of the browser and the appserver seems correct. While the browser avoids downgrading, section 8.3 "Transport Guarantee" of the websocket specification states:
NONE 的传输保证必须被容器解释为允许未加密的 ws://连接到 websocket [WSC-8.3-1]
A transport guarantee of NONE must be interpreted by the container as allowing unencrypted ws:// connections to the websocket [WSC-8.3-1]
有没有办法对 f:websocket 强制加密(使用 wss://),尽管在应用服务器上使用传输保证 NONE?或者有其他设置或更好的方法吗?
Is there a way to force encryption (the use of wss://) for the f:websocket, although using transport guarantee NONE on the app server? Or is there another setting or better approach for this?
目前,我找不到一种方法来适应 f:websocket 的行为,不得不切换回使用与经典 websocket 服务器端点相结合的普通 javascript websocket.
For the moment, I could not find a way to adapt the behaviour of f:websocket and had to switch back to the use of plain javascript websocket in combination with classic websocket serverendpoint.
推荐答案
有没有办法对 f:websocket 强制加密(使用 wss://),尽管在应用服务器上使用传输保证 NONE?
Is there a way to force encryption (the use of wss://) for the f:websocket, although using transport guarantee NONE on the app server?
websocket URL 是通过 ExternalContext#encodeWebsocketURL().在 JSF 中,一切都可以通过工厂进行装饰甚至替换,ExternalContext 也是如此.
The websocket URL is encoded via ExternalContext#encodeWebsocketURL(). As usual in JSF, pretty everything can be decorated or even replaced via factories, so also the ExternalContext.
下面是一个启动示例,它盲目地将 websocket URL 中的 ws:// 替换为 wss://.
Below is a kickoff example which blindly replaces ws:// in websocket URL to wss://.
public class CustomExternalContext extends ExternalContextWrapper {
public CustomExternalContext(ExternalContext wrapped) {
super(wrapped);
}
@Override
public String encodeWebsocketURL(String url) {
return super.encodeWebsocketURL(url).replaceFirst("ws://", "wss://");
}
public static class Factory extends ExternalContextFactory {
public Factory(ExternalContextFactory wrapped) {
super(wrapped);
}
@Override
public ExternalContext getExternalContext(Object context, Object request, Object response) throws FacesException {
return new CustomExternalContext(getWrapped().getExternalContext(context, request, response));
}
}
}
为了让它运行,在faces-config.xml中注册如下:
In order to get it to run, register it as below in faces-config.xml:
<factory>
<external-context-factory>com.example.CustomExternalContext$Factory</external-context-factory>
</factory>
这篇关于JSF 2.3 f:websocket 加密设置的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
