Tomcat 的安全约束配置是强制性的吗? [英] Is security-constraint configuration for Tomcat mandatory?
问题描述
为了在Tomcat下做SSL配置测试,这都是必须的吗?
In order to do an SSL Configuration testing under Tomcat, is this all mandatory?
下面这行摘自 网站:
为了在我们的测试中做到这一点,将任何已经成功部署在 Tomcat 中的应用程序首先通过 http 和 https 访问它,看看它是否工作正常.如果是,则打开该应用程序的 web.xml 并在 web-app 结束之前添加此 XML 片段,即 </web-app>:
In order to do this for our test, take any application which has already been deployed successfully in Tomcat and first access it through http and https to see if it works fine. If yes, then open the web.xml of that application and just add this XML fragment before web-app ends i.e
</web-app>:
<security-constraint>
<web-resource-collection>
<web-resource-name>securedapp</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
这个配置是否必须在 web.xml 文件中进行??
Is this configuration is mandatory to do inside a web.xml file ??
推荐答案
不,没有必要.这意味着您的网络应用仅可通过 HTTPS 使用(不能通过 HTTP 使用).
No, it's not necessary. It means that your web application only available through HTTPS (and not available through HTTP).
如果您省略 web.xml 包含 <transport-guarantee>CONFIDENTIAL</transport-guarantee> 如果您尝试使用 HTTP,Tomcat 会自动将请求重定向到 SSL 端口.
If you omit the <transport-guarantee>CONFIDENTIAL</transport-guarantee> tag (or the whole <security-constraint>) your application will be available through both HTTP and HTTPS. If your web.xml contains <transport-guarantee>CONFIDENTIAL</transport-guarantee> Tomcat automatically redirects the requests to the SSL port if you try to use HTTP.
请注意Tomcat默认配置没有启用SSL连接器,您必须手动启用它.查看SSL 配置方法了解详情.
Please note that the default Tomcat configuration does not enable the SSL connector, you have to enable it manually. Check the SSL Configuration HOW-TO for the details.
这篇关于Tomcat 的安全约束配置是强制性的吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
