Jakarta ee Websphere:web.xml中的安全约束未强制执行
我正在尝试在我支持的非常旧的J2EE应用程序上启用SSL。该应用程序在WebSpehre 6.1中运行。我已经在运行应用程序的WAS配置文件中启用了应用程序安全性,但是下面的web.xml配置仍然允许用户使用HTTP或HTTPS访问站点 我尝试了几种不同的url模式,但似乎都不起作用:Jakarta ee Websphere:web.xml中的安全约束未强制执行,jakarta-ee,websphere,web.xml,Jakarta Ee,Websphere,Web.xml,我正在尝试在我支持的非常旧的J2EE应用程序上启用SSL。该应用程序在WebSpehre 6.1中运行。我已经在运行应用程序的WAS配置文件中启用了应用程序安全性,但是下面的web.xml配置仍然允许用户使用HTTP或HTTPS访问站点 我尝试了几种不同的url模式,但似乎都不起作用: /* /jsp/* /gatewayRMIWEB/* <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE web-app PUBLIC "-//S
/*
/jsp/*
/gatewayRMIWEB/*
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN" "http://java.sun.com/dtd/web-app_2_3.dtd">
<web-app id="WebApp">
<display-name>gatewayRMIWEB</display-name>
<filter>
<filter-name>LoginFilter</filter-name>
<display-name>LoginFilter</display-name>
<filter-class>com.dc.gateway.servlet.LoginFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>LoginFilter</filter-name>
<url-pattern>/jsp/*</url-pattern>
</filter-mapping>
<servlet>
<servlet-name>GatewayClient</servlet-name>
<display-name>GatewayClient</display-name>
<servlet-class>com.dc.gateway.servlet.GatewayClient</servlet-class>
<init-param>
<param-name>log4j-init-file</param-name>
<param-value>/WEB-INF/logger.lcf</param-value>
</init-param>
</servlet>
<servlet>
<servlet-name>SecurityCheck</servlet-name>
<display-name>SecurityCheck</display-name>
<servlet-class>com.dc.gateway.servlet.SecurityCheck</servlet-class>
</servlet>
<servlet>
<servlet-name>Logoff</servlet-name>
<display-name>Logoff</display-name>
<servlet-class>com.dc.gateway.servlet.Logoff</servlet-class>
</servlet>
<servlet>
<servlet-name>Settings</servlet-name>
<display-name>Settings</display-name>
<servlet-class>com.dc.gateway.servlet.Settings</servlet-class>
</servlet>
<servlet>
<servlet-name>changepassword</servlet-name>
<display-name>changepassword</display-name>
<servlet-class>com.dc.gateway.servlet.changepassword</servlet-class>
</servlet>
<servlet>
<servlet-name>subdetailupdate</servlet-name>
<display-name>subdetailupdate</display-name>
<servlet-class>com.dc.gateway.servlet.subdetailupdate</servlet-class>
</servlet>
<servlet>
<servlet-name>subscriberdelete</servlet-name>
<display-name>subscriberdelete</display-name>
<servlet-class>com.dc.gateway.servlet.subscriberdelete</servlet-class>
</servlet>
<servlet>
<servlet-name>subscriberdetailedit</servlet-name>
<display-name>subscriberdetailedit</display-name>
<servlet-class>com.dc.gateway.servlet.subscriberdetailedit</servlet-class>
</servlet>
<servlet>
<servlet-name>subscriberedit</servlet-name>
<display-name>subscriberedit</display-name>
<servlet-class>com.dc.gateway.servlet.subscriberedit</servlet-class>
</servlet>
<servlet>
<servlet-name>subscribernew</servlet-name>
<display-name>subscribernew</display-name>
<servlet-class>com.dc.gateway.servlet.subscribernew</servlet-class>
</servlet>
<servlet>
<servlet-name>TrnlogPurge</servlet-name>
<display-name>TrnlogPurge</display-name>
<servlet-class>com.dc.gateway.servlet.TrnlogPurge</servlet-class>
</servlet>
<servlet>
<servlet-name>As400Pool</servlet-name>
<display-name>As400Pool</display-name>
<servlet-class>com.dc.gateway.servlet.As400Pool</servlet-class>
</servlet>
<servlet>
<servlet-name>Resubmit</servlet-name>
<display-name>Resubmit</display-name>
<servlet-class>com.dc.gateway.servlet.Resubmit</servlet-class>
</servlet>
<servlet>
<servlet-name>SearchPrepare</servlet-name>
<display-name>SearchPrepare</display-name>
<servlet-class>com.dc.gateway.servlet.SearchPrepare</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>GatewayClient</servlet-name>
<url-pattern>/GatewayClient</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>SecurityCheck</servlet-name>
<url-pattern>/SecurityCheck</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>Logoff</servlet-name>
<url-pattern>/Logoff</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>Settings</servlet-name>
<url-pattern>/Settings</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>changepassword</servlet-name>
<url-pattern>/changepassword</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>subdetailupdate</servlet-name>
<url-pattern>/subdetailupdate</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>subscriberdelete</servlet-name>
<url-pattern>/subscriberdelete</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>subscriberdetailedit</servlet-name>
<url-pattern>/subscriberdetailedit</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>subscriberedit</servlet-name>
<url-pattern>/subscriberedit</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>subscribernew</servlet-name>
<url-pattern>/subscribernew</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>TrnlogPurge</servlet-name>
<url-pattern>/TrnlogPurge</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>As400Pool</servlet-name>
<url-pattern>/As400Pool</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>Resubmit</servlet-name>
<url-pattern>/Resubmit</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>SearchPrepare</servlet-name>
<url-pattern>/SearchPrepare</url-pattern>
</servlet-mapping>
<welcome-file-list>
<welcome-file>jsp/login.jsp</welcome-file>
</welcome-file-list>
<resource-ref id="ResourceRef_1084824065465">
<res-ref-name>jdbc/cg</res-ref-name>
<res-type>javax.sql.DataSource</res-type>
<res-auth>Container</res-auth>
<res-sharing-scope>Shareable</res-sharing-scope>
</resource-ref>
<env-entry>
<description>soft-coded datasource jndi name</description>
<env-entry-name>datasource-jndi-cms</env-entry-name>
<env-entry-value>jdbc/cg</env-entry-value>
<env-entry-type>java.lang.String</env-entry-type>
</env-entry>
<env-entry>
<description>soft-coded datasource jndi name</description>
<env-entry-name>datasource-jndi-erp</env-entry-name>
<env-entry-value>jdbc/erp</env-entry-value>
<env-entry-type>java.lang.String</env-entry-type>
</env-entry>
<security-constraint>
<display-name>gatewayRMIWEB</display-name>
<web-resource-collection>
<web-resource-name>allresources</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
</web-app>
/*
/jsp/*
/网关网络/*
网关网络
逻辑过滤器
逻辑过滤器
com.dc.gateway.servlet.LoginFilter
逻辑过滤器
/jsp/*
网关客户端
网关客户端
com.dc.gateway.servlet.GatewayClient
log4j初始化文件
/WEB-INF/logger.lcf
安全检查
安全检查
com.dc.gateway.servlet.SecurityCheck
注销
注销
com.dc.gateway.servlet.Logoff
设置
设置
com.dc.gateway.servlet.Settings
更改密码
更改密码
com.dc.gateway.servlet.changepassword
子详细信息更新
子详细信息更新
com.dc.gateway.servlet.subdetailupdate
订阅删除
订阅删除
com.dc.gateway.servlet.subscriberdelete
订阅详细信息编辑
订阅详细信息编辑
com.dc.gateway.servlet.subscriberdetailedit
订阅编辑
订阅编辑
com.dc.gateway.servlet.subscriberedit
伯尔尼
伯尔尼
com.dc.gateway.servlet.subscribernew
TrnlogPurge
TrnlogPurge
com.dc.gateway.servlet.trnlogpuke
AS400游泳池
AS400游泳池
com.dc.gateway.servlet.As400Pool
重新提交
重新提交
com.dc.gateway.servlet.Resubmit
搜索准备
搜索准备
com.dc.gateway.servlet.SearchPrepare
网关客户端
/网关客户端
安全检查
/安全检查
注销
/注销
设置
/背景
更改密码
/更改密码
子详细信息更新
/子详细信息更新
订阅删除
/订阅删除
订阅详细信息编辑
/订阅详细信息编辑
订阅编辑
/订阅编辑
伯尔尼
/伯尔尼
TrnlogPurge
/TrnlogPurge
AS400游泳池
/AS400游泳池
重新提交
/重新提交
搜索准备
/搜索准备
jsp/login.jsp
jdbc/cg
javax.sql.DataSource
容器
可分享
软编码数据源jndi名称
数据源JNDICMS
jdbc/cg
java.lang.String
软编码数据源jndi名称
数据源jndi erp
jdbc/erp
java.lang.String
网关网络
所有资源
/*
保密的
<url-pattern>/*</url-pattern>
/*
<security-constraint>
<display-name>allApp</display-name>
<web-resource-collection>
<web-resource-name>allresources</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
阿拉普
所有资源
/*
保密的
启用应用程序安全后是否重新启动了服务器?我相信我已尝试了这两种方法,但让我再试一次。应用程序安全已启用。我修改了web.xml,在安全约束中包括一个显示名,以及url模式。该应用程序仍然允许http访问这些页面。我一定错过了什么,但是什么?@MichaelSobczak这看起来好像被忽略了。。。您可以尝试添加并查看是否会提示您进行授权。只是为了确保安全性得到加强。或者启用安全跟踪。@MichaelSobczak我已经在6.1.0.31上对其进行了测试,它按照设计工作,正确重定向到Https。请再试一次禁用管理和应用程序安全性,保存。停止/启动。确保禁用了安全性(如访问控制台)。可重新启用的管理和应用程序安全性。停止/启动。还要验证在istalledApps\cell\application\webmodule\web INF中是否正确更新了web.xml。解决方案要做三件事:更新web.xml,在控制台中启用应用程序安全性,以及为Apache web服务器安装和配置WebSphere插件。现在真是魅力四射!