Servlet过滤器不适用于容器管理的登录页面 [英] Servlet filter not applying to container managed login page
问题描述
我正在使用过滤器
在我的所有页面中插入反点击劫持标头 - 这是正常的,除了JBoss EAP 6.3容器管理登录页面,这是有一个比较重要的页面。
I'm using a Filter
to insert anti-clickjacking headers in all my pages - this works correctly, except on the JBoss EAP 6.3 container managed login page, which is one of the more important pages to have it.
根据 http:http: //本地主机/应用/
。我尝试过滤映射包含
The filter is not called at all with the login page, which is served off of http://localhost/Application/
. Filter mappings I've tried include
<filter>
<filter-name>InsertXFrameOptions</filter-name>
<filter-class>com.filter.InsertXFrameOptionsFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>InsertXFrameOptions</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>InsertXFrameOptions</filter-name>
<url-pattern>*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>InsertXFrameOptions</filter-name>
<url-pattern>/</url-pattern>
</filter-mapping>
完全没有运气 - 如何映射过滤器以使其适用于容器管理登录页面?
No luck at all though - how do you map a filter so it applies to the container managed login page?
推荐答案
过滤器不会启用 j_security_check
请求。在Web应用程序的过滤器被命中之前,它们由容器在内部处理。所以你需要前往一个特定于容器的解决方案来挂钩请求/响应。
Filters don't kick in on j_security_check
requests. They are handled internally by the container before the web application's filters are hit. So you need to head to a container-specific solution to hook on the request/response.
JBoss 6.x / 7.x(以及所有其他基于Tomcat的容器)为此提供阀门。基本上,用 Valve
替换你的过滤器
哪个如下所示:
JBoss 6.x/7.x (and all other Tomcat based containers) offer Valves for this. Basically, replace your Filter
by a Valve
which looks like below:
import org.apache.catalina.connector.Request;
import org.apache.catalina.connector.Response;
import org.apache.catalina.valves.ValveBase;
public class InsertXFrameOptionsValve extends ValveBase {
@Override
public void invoke(Request request, Response response) throws IOException, ServletException {
response.addHeader("X-Frame-Options", "SAMEORIGIN");
getNext().invoke(request, response);
}
}
为了让它运行,在<$ c注册 $ c> jboss-web.xml 如下所示:
In order to get it to run, register it in jboss-web.xml
like below:
<valve>
<class-name>com.example.InsertXFrameOptionsValve</class-name>
</valve>
这篇关于Servlet过滤器不适用于容器管理的登录页面的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!