Java 对JBoss web.xml的更改无效
我刚刚把它添加到JBOSS服务器上的web.xml中。但没有效果。我仍然可以连接到不使用双向证书交换的端口。有人有主意吗Java 对JBoss web.xml的更改无效,java,web-services,tomcat,jboss,web.xml,Java,Web Services,Tomcat,Jboss,Web.xml,我刚刚把它添加到JBOSS服务器上的web.xml中。但没有效果。我仍然可以连接到不使用双向证书交换的端口。有人有主意吗 <!-- Force SSL for entire site as described here: http://wiki.metawerx.net/wiki/ForcingSSLForSectionsOfYourWebsite --> <security-constraint> <!-- defines resources t
<!-- Force SSL for entire site as described here: http://wiki.metawerx.net/wiki/ForcingSSLForSectionsOfYourWebsite -->
<security-constraint>
<!-- defines resources to be protected (in this case everything)-->
<web-resource-collection>
<!-- name for the resource, can be anything you like -->
<!-- Question: is this referenced anywhere else? -->
<web-resource-name>
Entire Application
</web-resource-name>
<!-- protect the entire application -->
<url-pattern>
/*
</url-pattern>
</web-resource-collection>
<!-- defines protection level for protected resource -->
<user-data-constraint>
<!-- data cannot be observed or changed -->
<!-- how it works in tomcat: -->
<!-- if (set to integral or confidential && not using ssl) -->
<!-- redirect sent to client, redirecting them to same url -->
<!-- but using the port defined in the redirect port -->
<!-- attribute in the <Connector> element of server.xml -->
<!-- default is 443, so in other words user is redirected -->
<!-- to same page using ssl. -->
<!-- BUT it is differnt for JBOSS!! See this link: http://wiki.metawerx.net/wiki/ForcingSSLForSectionsOfYourWebsite -->
<transport-guarantee>
CONFIDENTIAL
</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<!-- Client-side SSL certificate based authentication. The cert is passed to the server to authenticate -->
<!-- I am pretty sure that CLIENT-CERT should have a dash NOT an underscore see: http://www.mail-archive.com/tomcat-user@jakarta.apache.org/msg139845.html -->
<!-- CLIENT-CERT uses a client's AND server's certificates. See: http://monduke.com/2006/01/19/the-mysterious-client-cert/ -->
<auth-method>
CLIENT-CERT
</auth-method>
</login-config>
更改后是否重新加载了web应用程序?我假设端口
是HTTP,并且由于您已配置机密文件
,因此端口
被阻止
端口
使用满足保密要求的SSL,因此不会被阻止
web.xml配置中缺少一些元素。您的web资源没有任何授权约束。因此,当您从端口
访问时,即使您未经授权,您仍然有权访问资源,因为您没有对资源设置任何授权约束
您需要有包含可访问此应用程序的
的
列表
的
应具有
上述web.xml的更新副本
<!-- Force SSL for entire site as described here: http://wiki.metawerx.net/wiki/ForcingSSLForSectionsOfYourWebsite -->
<security-constraint>
<!-- defines resources to be protected (in this case everything)-->
<web-resource-collection>
<!-- name for the resource, can be anything you like -->
<!-- Question: is this referenced anywhere else? -->
<web-resource-name>
Entire Application
</web-resource-name>
<!-- protect the entire application -->
<url-pattern>
/*
</url-pattern>
</web-resource-collection>
<auth-constraint>
<description>Authorized Roles</description>
<role-name>ALL_AUTHENTICATED</role-name>
</auth-constraint>
<!-- defines protection level for protected resource -->
<user-data-constraint>
<!-- data cannot be observed or changed -->
<!-- how it works in tomcat: -->
<!-- if (set to integral or confidential && not using ssl) -->
<!-- redirect sent to client, redirecting them to same url -->
<!-- but using the port defined in the redirect port -->
<!-- attribute in the <Connector> element of server.xml -->
<!-- default is 443, so in other words user is redirected -->
<!-- to same page using ssl. -->
<!-- BUT it is differnt for JBOSS!! See this link: http://wiki.metawerx.net/wiki/ForcingSSLForSectionsOfYourWebsite -->
<transport-guarantee>
CONFIDENTIAL
</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<!-- Client-side SSL certificate based authentication. The cert is passed to the server to authenticate -->
<!-- I am pretty sure that CLIENT-CERT should have a dash NOT an underscore see: http://www.mail-archive.com/tomcat-user@jakarta.apache.org/msg139845.html -->
<!-- CLIENT-CERT uses a client's AND server's certificates. See: http://monduke.com/2006/01/19/the-mysterious-client-cert/ -->
<auth-method>
CLIENT-CERT
</auth-method>
</login-config>
<security-role>
<description>All authenticated users</description>
<role-name>ALL_AUTHENTICATED</role-name>
</security-role>
整个应用程序
/*
授权角色
所有这些都经过了验证
保密的
客户端证书
所有经过身份验证的用户
所有这些都经过了验证
在安全性中有两件事,身份验证和授权
身份验证:验证用户是否为主体并授予用户某些主体的行为;“你是谁?”
授权:验证是否允许用户访问特定资源的行为;“你可以做什么。”
告诉如何验证用户身份或如何询问您是谁。若用户并没有客户端证书,那个么他就是未经验证的用户。它不告诉用户可以做什么
然而,
是您可以做的。如果放置
,则只有其中提到的角色才能访问相应的web资源。您仍然可以使用未经身份验证但有权访问某些资源的用户,前提是这些资源不受证书角色的限制。是的,我重新启动了它。这就是你的意思吗?是的。你在链接到的页面上也看到了JBoss关于忽略重定向的说明,这不是问题所在吗?虽然我以前从未设置过客户端证书,但您的设置在我看来还不错……嗯,这可能就是问题所在。。。现在就开始调查。试图让snoop工作以测试它连接到的端口,但似乎无法使其工作。我假设端口是HTTP,并且您已经配置了机密,因此端口被阻止,因为端口使用SSL,所以它不会被阻止。也可以在下面看到我的答案,关于阻止端口需要做的进一步更改。@Gladwin Burboz:哇,那个指针帮了我很多忙@60英尺:不客气。同样使用CONFEDENTIAL设置,如果您尝试使用http端口访问它,一些容器会自动将浏览器重定向到https端口URL。嘿,Gladwin,谢谢您的反馈。我的假设是,如果不包括角色,auth方法将应用于所有角色。这个假设不正确吗?>需要将容器(JBoss)配置为将经过身份验证的角色映射到Java EE角色
——这并不完全正确。JBoss从未要求角色映射,角色映射的整个过程始终是特定于服务器的。的确,(太)多的服务器需要角色映射(即使完全不需要),但JBoss不是这样的服务器。
<!-- Force SSL for entire site as described here: http://wiki.metawerx.net/wiki/ForcingSSLForSectionsOfYourWebsite -->
<security-constraint>
<!-- defines resources to be protected (in this case everything)-->
<web-resource-collection>
<!-- name for the resource, can be anything you like -->
<!-- Question: is this referenced anywhere else? -->
<web-resource-name>
Entire Application
</web-resource-name>
<!-- protect the entire application -->
<url-pattern>
/*
</url-pattern>
</web-resource-collection>
<auth-constraint>
<description>Authorized Roles</description>
<role-name>ALL_AUTHENTICATED</role-name>
</auth-constraint>
<!-- defines protection level for protected resource -->
<user-data-constraint>
<!-- data cannot be observed or changed -->
<!-- how it works in tomcat: -->
<!-- if (set to integral or confidential && not using ssl) -->
<!-- redirect sent to client, redirecting them to same url -->
<!-- but using the port defined in the redirect port -->
<!-- attribute in the <Connector> element of server.xml -->
<!-- default is 443, so in other words user is redirected -->
<!-- to same page using ssl. -->
<!-- BUT it is differnt for JBOSS!! See this link: http://wiki.metawerx.net/wiki/ForcingSSLForSectionsOfYourWebsite -->
<transport-guarantee>
CONFIDENTIAL
</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<!-- Client-side SSL certificate based authentication. The cert is passed to the server to authenticate -->
<!-- I am pretty sure that CLIENT-CERT should have a dash NOT an underscore see: http://www.mail-archive.com/tomcat-user@jakarta.apache.org/msg139845.html -->
<!-- CLIENT-CERT uses a client's AND server's certificates. See: http://monduke.com/2006/01/19/the-mysterious-client-cert/ -->
<auth-method>
CLIENT-CERT
</auth-method>
</login-config>
<security-role>
<description>All authenticated users</description>
<role-name>ALL_AUTHENTICATED</role-name>
</security-role>