Tomcat - 我可以强迫NON https吗？ [英] Tomcat - can i force NON https?

问题描述

我在tomcat中部署了一个Web应用程序。除了索引页面和其他一些页面之外，应用程序中的几乎所有页面都需要HTTPS。当我访问任何需要HTTPS的页面时，浏览器总是使用HTTPS。当我访问不需要HTTPS的页面时，浏览器有时会使用HTTP，有时使用HTTPS，这主要取决于原点。
我的问题是我是否可以强制浏览器对那些不需要加密的页面使用HTTP（没有s）。

I have a web app deployed in tomcat. Almost all pages in the app require HTTPS except for the index page and some others. When I acces any page that requirest HTTPS, the browser always uses HTTPS. When I access a page that do not require HTTPS the browser sometimes use HTTP and sometimes HTTPS, mostly depending on the origin. My question is if I can force the browser to use HTTP (without the s) for those pages that do not require encryption.

这是我的web.xml中决定哪些资源需要加密的部分。

Here is the part of my web.xml that decides what resources requires encryption.

<security-constraint>
    <web-resource-collection>
        <web-resource-name>Protected</web-resource-name>
        <url-pattern>/*</url-pattern>
    </web-resource-collection>

    <user-data-constraint>
        <transport-guarantee>CONFIDENTIAL</transport-guarantee>
    </user-data-constraint>
</security-constraint>

<security-constraint>
    <web-resource-collection>
        <web-resource-name>Open</web-resource-name>
        <url-pattern>/</url-pattern>
        <url-pattern>/contact</url-pattern>
        <url-pattern>/robots.txt</url-pattern>
        <url-pattern>/sitemap.xml</url-pattern>
    </web-resource-collection>

    <user-data-constraint>
        <transport-guarantee>NONE</transport-guarantee>
    </user-data-constraint>
</security-constraint>

推荐答案

使用Tomcat配置，没有。

With Tomcat configuration, no.

您有多种选择：

1. 编写过滤器以将这些页面重定向到HTTP
   当请求到达过滤器时，您也可以为其提供服务。重定向到HTTP将导致用户的响应时间变慢。

1. Write a filter to redirect those pages to HTTP By the time the request has reached the filter you may as well serve it. Redirecting to HTTP will result in slower response times for your users.

您可以使用绝对HTTP链接替换不需要HTTPS的页面的链接。这可能是很多工作，您需要小心这样做，以便在您更改Web应用程序的上下文路径时链接不会中断。如果您的服务器位于反向代理之后，它也可能会变得混乱。

You could replace the links to the pages that do not require HTTPS with absolute HTTP links. This might be a lot of work and you need to be careful to do it in such a way that the links don't break if you change your web application's context path. It could also get messy if your server is behind a reverse proxy.

与它一起生活。

就个人而言，我会选择3。

Personally, I'd go for option 3.

这篇关于Tomcat - 我可以强迫NON https吗？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！