Servlet过滤器不适用于容器管理的登录页面 [英] Servlet filter not applying to container managed login page

查看:119
本文介绍了Servlet过滤器不适用于容器管理的登录页面的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我正在使用过滤器在我的所有页面中插入反点击劫持标头 - 这是正常的,除了JBoss EAP 6.3容器管理登录页面,这是有一个比较重要的页面。

I'm using a Filter to insert anti-clickjacking headers in all my pages - this works correctly, except on the JBoss EAP 6.3 container managed login page, which is one of the more important pages to have it.

根据 http:http: //本地主机/应用/ 。我尝试过滤映射包含

The filter is not called at all with the login page, which is served off of http://localhost/Application/. Filter mappings I've tried include

<filter>
    <filter-name>InsertXFrameOptions</filter-name>
    <filter-class>com.filter.InsertXFrameOptionsFilter</filter-class>
</filter>

<filter-mapping>
    <filter-name>InsertXFrameOptions</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>    
<filter-mapping>
    <filter-name>InsertXFrameOptions</filter-name>
    <url-pattern>*</url-pattern>
</filter-mapping>
<filter-mapping>
    <filter-name>InsertXFrameOptions</filter-name>
    <url-pattern>/</url-pattern>
</filter-mapping>

完全没有运气 - 如何映射过滤器以使其适用于容器管理登录页面?

No luck at all though - how do you map a filter so it applies to the container managed login page?

推荐答案

过滤器不会启用 j_security_check 请求。在Web应用程序的过滤器被命中之前,它们由容器在内部处理。所以你需要前往一个特定于容器的解决方案来挂钩请求/响应。

Filters don't kick in on j_security_check requests. They are handled internally by the container before the web application's filters are hit. So you need to head to a container-specific solution to hook on the request/response.

JBoss 6.x / 7.x(以及所有其他基于Tomcat的容器)为此提供阀门。基本上,用 Valve 替换你的过滤器哪个如下所示

JBoss 6.x/7.x (and all other Tomcat based containers) offer Valves for this. Basically, replace your Filter by a Valve which looks like below:

import org.apache.catalina.connector.Request;
import org.apache.catalina.connector.Response;
import org.apache.catalina.valves.ValveBase;

public class InsertXFrameOptionsValve extends ValveBase {

    @Override
    public void invoke(Request request, Response response) throws IOException, ServletException {
        response.addHeader("X-Frame-Options", "SAMEORIGIN");
        getNext().invoke(request, response);
    }

}

为了让它运行,在<$ c注册 $ c> jboss-web.xml 如下所示:

In order to get it to run, register it in jboss-web.xml like below:

<valve>
    <class-name>com.example.InsertXFrameOptionsValve</class-name>
</valve>

这篇关于Servlet过滤器不适用于容器管理的登录页面的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!

查看全文
相关文章
其他开发最新文章
热门教程
热门工具
登录 关闭
扫码关注1秒登录
发送“验证码”获取 | 15天全站免登陆