如何强制只用SSL打开一个页面？ [英] How to force only one page to open with SSL?

问题描述

在我的项目中，我使用的是SSL，但它适用于所有页面。我想将它仅用于登录页面，在该页面之后它应该恢复为HTTP协议。我怎样才能做到这一点？我在下面找到了一种方法，但它不起作用。

In my project, I am using SSL but it works for all pages.I want to use it for only a login page, after that page it should revert to HTTP protocol. How can i do that? I found a way below, but it does not work.

    <security-constraint>
    <web-resource-collection>
        <web-resource-name>Notify page, accessed internally by application</web-resource-name>
        <url-pattern>/Login.xhtml</url-pattern>
    </web-resource-collection>
    <user-data-constraint>
        <transport-guarantee>CONFIDENTIAL</transport-guarantee>
    </user-data-constraint>
</security-constraint>

<security-constraint>
    <web-resource-collection>
        <web-resource-name>Entire Site</web-resource-name>
        <url-pattern>/*</url-pattern>
    </web-resource-collection>
    <user-data-constraint>
        <transport-guarantee>NONE</transport-guarantee>
    </user-data-constraint>
</security-constraint>

我的项目是一个JSF 2.0项目，我正在使用Eclipse Helios和Tomcat 7.0。

My project is a JSF 2.0 project, I am using Eclipse Helios and Tomcat 7.0.

谢谢。

推荐答案

这是不可能的。当会话由HTTPS请求创建时，它不可用于HTTP请求。你最好的办法是在登录时自己创建一个非安全的cookie，并通过它来维护登录。

That's not possible. When the session is created by HTTPS request, then it is not available to HTTP requests. Your best bet is to create a non-secure cookie yourself during login and maintain the login by that instead.

Map<String, Object> properties = new HashMap<String, Object>();
properties.put("secure", false);
externalContext.addResponseCookie(name, value, properties);

但请再想一想，那么HTTPS登录的重点是什么？如果您在HTTPS之后返回HTTP并且希望保持用户登录，那么您需要将会话cookie设置为不安全。这样黑客仍然可以在cookie中嗅探会话ID以进行会话固定黑客攻击。通过HTTPS登录，您只能阻止黑客了解实际的用户名/密码，但是一旦黑客在cookie中找到会话ID，就不再有任何意义了。

But think once again about this, what's the point of the HTTPS login then? If you go back to HTTP after HTTPS and you want to keep the user logged-in, then you're required to set the session cookie unsecure. This way hackers will still be able to sniff the session ID in the cookie to do a session fixation hack. With login over HTTPS you only prevent that hackers learn about the actual username/password, but that has no point anymore once a hacker figures the session ID in the cookie.

I请说，忘记切换并在登录后始终坚持使用HTTPS。

I'd say, forget the switch and stick to HTTPS all the time after login.

这篇关于如何强制只用SSL打开一个页面？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！