Java 向Tomcat添加HSTS特性
好好相信你们 我的web应用程序运行在Tomcat6.0.43上,前端不使用apache或nginx 我已经在使用以下方式将我的web从http重定向到https:Java 向Tomcat添加HSTS特性,java,spring,security,tomcat,hsts,Java,Spring,Security,Tomcat,Hsts,好好相信你们 我的web应用程序运行在Tomcat6.0.43上,前端不使用apache或nginx 我已经在使用以下方式将我的web从http重定向到https: URL重定向到../webapps/ROOT/index.jsp ../webapps/myapp/WEB-INF/WEB.xml 受保护上下文 /* 保密的 在下面的何处添加此类代码 标题添加严格的传输安全性“最大年龄=15768000” 或 tomcat是否没有此功能? 或者我需要在我的每个java web app控制器中
受保护上下文
/*
保密的
在下面的何处添加此类代码
标题添加严格的传输安全性“最大年龄=15768000”
或
tomcat是否没有此功能?
或者我需要在我的每个java web app控制器中进行修改。使用
web-INF/classes
目录中请注意,这不是特定于HSTS的:您可以通过url重写执行任何操作。您可以使用过滤器添加它。将以下代码段添加到web.xml:
<filter>
<filter-name>HSTSFilter</filter-name>
<filter-class>security.HSTSFilter</filter-class>
</filter>
还可以使用全局web.xml(conf/web.xml)添加过滤器。如果您能够使用Tomcat 7或8,则可以激活。在
tomcat/conf/web.xml
<filter>
<filter-name>httpHeaderSecurity</filter-name>
<filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
<async-supported>true</async-supported>
</filter>
httpHeaderSecurity
org.apache.catalina.filters.HttpHeaderSecurityFilter
真的
并添加一个有用的最大年龄参数:
<init-param>
<param-name>hstsMaxAgeSeconds</param-name>
<param-value>31536000</param-value>
</init-param>
hstsMaxAgeSeconds
31536000
不要忘记取消对筛选器映射的注释:
<filter-mapping>
<filter-name>httpHeaderSecurity</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
</filter-mapping>
httpHeaderSecurity
/*
要求
<%
response.setHeader("Strict-Transport-Security" ,"max-age=7776000" );
%>
<system.webServer>
<httpProtocol>
<customHeaders>
<add name="Strict-Transport-Security" value="max-age=31536000"/>
</customHeaders>
</httpProtocol>
</system.webServer>
对于
您必须添加xmlnsi,否则它将引发解析异常如果未解决JSP文件中出现的缺少HSTS标头复选标记的faizan9689解决方案,则使用
includeSubDomains
添加以下setHeader,这将解决该复选标记
<%
response.setHeader("Strict-Transport-Security", "max-age=31536000; includeSubDomains");
%>
在web.xml中,从%TOMCAT\u HOME%\conf文件夹
<!-- ================== Built In Filter Definitions ===================== -->
<!-- A filter that sets various security related HTTP Response headers. -->
<!-- This filter supports the following initialization parameters -->
<!-- (default values are in square brackets): -->
<!-- -->
<!-- hstsEnabled Should the HTTP Strict Transport Security -->
<!-- (HSTS) header be added to the response? See -->
<!-- RFC 6797 for more information on HSTS. [true] -->
<!-- -->
<!-- hstsMaxAgeSeconds The max age value that should be used in the -->
<!-- HSTS header. Negative values will be treated -->
<!-- as zero. [0] -->
<!-- -->
<!-- hstsIncludeSubDomains -->
<!-- Should the includeSubDomains parameter be -->
<!-- included in the HSTS header. -->
<!-- -->
<!-- antiClickJackingEnabled -->
<!-- Should the anti click-jacking header -->
<!-- X-Frame-Options be added to every response? -->
<!-- [true] -->
<!-- -->
<!-- antiClickJackingOption -->
<!-- What value should be used for the header. Must -->
<!-- be one of DENY, SAMEORIGIN, ALLOW-FROM -->
<!-- (case-insensitive). [DENY] -->
<!-- -->
<!-- antiClickJackingUri IF ALLOW-FROM is used, what URI should be -->
<!-- allowed? [] -->
<!-- -->
<!-- blockContentTypeSniffingEnabled -->
<!-- Should the header that blocks content type -->
<!-- sniffing be added to every response? [true] -->
<filter>
<filter-name>httpHeaderSecurity</filter-name>
<filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
<async-supported>true</async-supported>
<init-param>
<param-name>hstsEnabled</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>hstsMaxAgeSeconds</param-name>
<param-value>31536000</param-value>
</init-param>
<init-param>
<param-name>hstsIncludeSubDomains</param-name>
<param-value>true</param-value>
</init-param>
</filter>
<!-- The mapping for the HTTP header security Filter -->
<filter-mapping>
<filter-name>httpHeaderSecurity</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
</filter-mapping>
httpHeaderSecurity
org.apache.catalina.filters.HttpHeaderSecurityFilter
真的
HST被禁止
真的
hstsMaxAgeSeconds
31536000
HST俱乐部子域
真的
httpHeaderSecurity
/*
要求
我刚开始这样理解。它在tomcat 6上工作。新过滤器的激活需要修改webapp吗?我相信你需要使用!操作员在if条件前,根据要求。建议升级tomcat以简化解决方案。请参考@mystygage answer了解tomcat 7和8。HSTS的激活是否需要取消tomcat服务的重新启动?HSTS过滤器是内置的。请参阅以了解您的Tomcat版本。观察差异,我的解决方案有一个变化,上面的变化“includeSubDomains”会解决一些复选标记
<%
response.setHeader("Strict-Transport-Security", "max-age=31536000; includeSubDomains");
%>
<!-- ================== Built In Filter Definitions ===================== -->
<!-- A filter that sets various security related HTTP Response headers. -->
<!-- This filter supports the following initialization parameters -->
<!-- (default values are in square brackets): -->
<!-- -->
<!-- hstsEnabled Should the HTTP Strict Transport Security -->
<!-- (HSTS) header be added to the response? See -->
<!-- RFC 6797 for more information on HSTS. [true] -->
<!-- -->
<!-- hstsMaxAgeSeconds The max age value that should be used in the -->
<!-- HSTS header. Negative values will be treated -->
<!-- as zero. [0] -->
<!-- -->
<!-- hstsIncludeSubDomains -->
<!-- Should the includeSubDomains parameter be -->
<!-- included in the HSTS header. -->
<!-- -->
<!-- antiClickJackingEnabled -->
<!-- Should the anti click-jacking header -->
<!-- X-Frame-Options be added to every response? -->
<!-- [true] -->
<!-- -->
<!-- antiClickJackingOption -->
<!-- What value should be used for the header. Must -->
<!-- be one of DENY, SAMEORIGIN, ALLOW-FROM -->
<!-- (case-insensitive). [DENY] -->
<!-- -->
<!-- antiClickJackingUri IF ALLOW-FROM is used, what URI should be -->
<!-- allowed? [] -->
<!-- -->
<!-- blockContentTypeSniffingEnabled -->
<!-- Should the header that blocks content type -->
<!-- sniffing be added to every response? [true] -->
<filter>
<filter-name>httpHeaderSecurity</filter-name>
<filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
<async-supported>true</async-supported>
<init-param>
<param-name>hstsEnabled</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>hstsMaxAgeSeconds</param-name>
<param-value>31536000</param-value>
</init-param>
<init-param>
<param-name>hstsIncludeSubDomains</param-name>
<param-value>true</param-value>
</init-param>
</filter>
<!-- The mapping for the HTTP header security Filter -->
<filter-mapping>
<filter-name>httpHeaderSecurity</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
</filter-mapping>