使用 webapp 的 web.xml 重定向到 SSL 登录页面 [英] Using webapp's web.xml to redirect to SSL for login page
问题描述
我有一个在 Tomcat 7 上运行的 Web 应用程序,并且通过直接使用 https 和适当的端口,我已经成功地获得了 SSL 和基于表单的身份验证.但是,我希望登录页面需要 SSL,如果我导航到 Web 应用程序的根目录,似乎无法使其正常工作.例如.如果我转到 http://localhost:8080/ProjectManagementSystem/login.html 它会重定向到 SSL,但如果我转到 http://localhost:8080/ProjectManagementSystem 则不会> 后者确实重定向到登录页面,但不会更改为 SSL.
I have a web app running on Tomcat 7, and I've successfully gotten SSL and form-based authentication to work by using https and the appropriate port directly. However I'd like to require SSL for the login page and can't seem to get this to work if I navigate to the root of my web app. E.g. if I go to http://localhost:8080/ProjectManagementSystem/login.html it redirects to SSL, but not if I go to http://localhost:8080/ProjectManagementSystem The latter does redirect to the login page but doesn't change to SSL.
是否可以在不将登录页面移动到其自己的目录下(如 这个问题)?
Is this possible without moving the login page to its own directory (as in this question)?
web.xml 中的相关部分是:
The relevant pieces from web.xml are:
<security-constraint>
<web-resource-collection>
<web-resource-name>PMS</web-resource-name>
<url-pattern>/login.html</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<realm-name>ProjectManagementSystem</realm-name>
<form-login-config>
<form-login-page>/login.html</form-login-page>
<form-error-page>/error.html</form-error-page>
</form-login-config>
</login-config>
我尝试了许多不同的配置(例如添加额外的 url-patterns,如/),但是当我转到 web 应用程序的根目录时无法获得任何重定向.我真的很感激知道这是不可能的还是我做错了什么.谢谢.
I've tried a number of different configurations (e.g. adding additional url-patterns like /) but can't get anything to redirect when I go to the web-app's root. I'd really appreciate knowing if this is impossible or if I'm just doing something wrong. Thanks.
ETA:我实际上继续尝试将 login.html 移动到 login/login.html 并将其更改为 <url-pattern>/login/*</url-pattern> 和它仍然不起作用.所以我想我一定是做错了什么,但我终生无法弄清楚是什么.
ETA: I actually went ahead and tried moving login.html to login/login.html and changing it to <url-pattern>/login/*</url-pattern> and it still doesn't work. So I think I must be doing something wrong, but I can't for the life of me figure out what.
ETA2:我也试过 <url-pattern>*.html</url-pattern> 并且这些都不起作用......
ETA2: I also tried <url-pattern>/*</url-pattern> and <url-pattern>*</url-pattern> and <url-pattern>*.html</url-pattern> and none of these worked either...
ETA3:我也尝试更改 web-resource-name,以防它与 web.xml 的另一部分冲突,但这仍然不起作用.我已经没有想法了.
ETA3: I tried changing the web-resource-name as well, in case it was conflicting with another part of the web.xml, but that still didn't work. I'm about out of ideas.
推荐答案
我让它在 JBOSS 7.1.1 中工作如下:
I got this to work in JBOSS 7.1.1 as follows:
<security-constraint>
<web-resource-collection>
<web-resource-name>*</web-resource-name>
<url-pattern>/logon.jsp</url-pattern>
<url-pattern>/logonReconnect.jsp</url-pattern>
<url-pattern>/logoff.do</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
例如有 3 个页面允许登录,以及 standalone.xml 中的 SSL 配置,这会强制登录页面和会话使用 SSL,但不会限制其他内容.这是为了解决 IE8 及更早版本中的一种奇怪问题,如果我们对所有内容施加约束,则活动内容(热点)将被禁用.
E.g. there were 3 pages allowing logon, together with SSL configuration in standalone.xml this forces SSL for the log on pages and session but does not place a constraint on other content. This was to address a kind of bizzre problem in IE8 and earlier where active content (hotspots) was disabled if we placed the constraint on all content.
这篇关于使用 webapp 的 web.xml 重定向到 SSL 登录页面的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
