(HTTPS)-强制 SSL (HTTPS)Filter
汗,无知真可怕,Servlert规范中已经有自动跳转到保护页面(Http - Https)的方法了:
web.xml
<security-constraint>
<display-name>Test Auth</display-name>
<web-resource-collection>
<web-resource-name>Protected Area</web-resource-name>
<url-pattern>/*</url-pattern> <!-- 整站SSL -->
<http-method>DELETE</http-method>
<http-method>GET</http-method>
<http-method>POST</http-method>
<http-method>PUT</http-method>
</web-resource-collection>
<user-data-constraint>
<description>SSL required</description>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
Basic 认证 + SSL
<security-constraint>
<display-name>Test Auth</display-name>
<web-resource-collection>
<web-resource-name>Protected Area</web-resource-name>
<url-pattern>/auth/*</url-pattern>
<http-method>DELETE</http-method>
<http-method>GET</http-method>
<http-method>POST</http-method>
<http-method>PUT</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>ADMIN</role-name>
<role-name>USER</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
回头想想前面的工作真可笑。
--------------------------
在Web工程中,如果使用HTTP Basic认证,或FORM认证,为了安全性,最好使用HTTPS的。
因此我们需要禁止HTTP访问,只能HTTPS访问。
如果大家感兴趣,可以研究下Spring Security(偶也不懂,貌似它能做到HTTPS与HTTP Session共享)。
先了解一下URL和URI在java.net.* 包中的用法和区别。详尽描述请参考Javadoc描述:
URLTest.java
package me.test;
import java.net.URI;
import java.net.URL;
public class URLTest {
public static void main(String[] args) throws Exception {
URL u1 = new URL(
"ftp://zhang3:123456@192.168.1.1:556/zhang.txt?k1=v1&k2=v2#aa");
System.out.println(u1.toString());
System.out.println(u1.toExternalForm());
System.out.println(u1.toURI());
URL u2 = new URL(
"https",
u1.getHost(),
8443,
u1.getFile());
// 以下三行的数据均为:
// https://192.168.1.1:8443/zhang.txt?k1=v1&k2=v2
System.out.println(u2.toString());
System.out.println(u2.toExternalForm());
System.out.println(u2.toURI());
System.out.println("----------------");
URI i1 = new URI(
"ftp://zhang3:123456@192.168.1.1:556/zhang.txt?k1=v1&k2=v2#aa");
URI i2 = new URI(
"https",
i1.getUserInfo(),
i1.getHost(),
8443,
i1.getPath(),
i1.getQuery(),
i1.getFragment());
// 以下两行均输出
// https://zhang3:123456@192.168.1.1:8443/zhang.txt?k1=v1&k2=v2#aa
System.out.println(i2.toURL());
System.out.println(i2.toString());
}
}
以下是偶的Filter:
ForceSSLFilter.java
/*
* @(#)ForceSSLFilter.java
*
* Copyright (c) 2011, Digital Yingtan Construction Committee.
*/
package me.test;
import java.io.IOException;
import java.net.URI;
import java.net.URISyntaxException;
import java.util.ArrayList;
import java.util.List;
import java.util.regex.Pattern;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.lang.StringUtils;
/**
* 对某些路径强制使用SSL的Filter。
* 如果请求的URL不是 https,则会使其重定向到相应的https路径上。
*
* 注意:此Filter目前只能用于无状态的WebService等路径。因为https与http在Tomcat等
* Servlet容器中会使用不同的SESSION。
*
* @author 张亮亮 2011/05/26 新建
*/
public class ForceSSLFilter implements Filter {
/** 需要强制使用SSL的路径。 */
protected List<String> sslPaths = null;
/** 不需要强制使用SSL的路径。 */
protected List<String> noSslPaths = null;
/** SSL的端口。 */
protected int sslPort = 443;
/** 是否使用重定向。 */
protected boolean usingRedirect = true;
/**
* 获得初始值。
*
* @param fc 配置信息
*/
public void init(FilterConfig fc) throws ServletException {
// 参数:需要强制使用SSL的路径
String paths = fc.getInitParameter("sslPaths");
sslPaths = new ArrayList<String>();
if (StringUtils.isNotBlank(paths)) {
for (String regexStr : paths.split(",")) {
if (StringUtils.isNotBlank(regexStr)) {
sslPaths.add(regexStr.trim());
}
}
}
// 参数:不需要强制使用SSL的路径
paths = fc.getInitParameter("noSslPaths");
noSslPaths = new ArrayList<String>();
if (StringUtils.isNotBlank(paths)) {
for (String regexStr : paths.split(",")) {
if (StringUtils.isNotBlank(regexStr)) {
noSslPaths.add(regexStr.trim());
}
}
}
// 参数:SSL的端口
String port = fc.getInitParameter("sslPort");
if (StringUtils.isNotBlank(port)) {
sslPort = Integer.valueOf(port);
}
// 参数:是否使用重定向
String redirect = fc.getInitParameter("usingRedirect");
if (StringUtils.isNotBlank(redirect)) {
usingRedirect = Boolean.valueOf(redirect);
}
}
/**
*
*/
public void destroy() {
}
/**
*单点登录主要处理方法。
*
* @param req 请求
* @param resp 响应
* @param filterChain 响应链
*/
public void doFilter(ServletRequest req, ServletResponse resp,
FilterChain filterChain) throws IOException, ServletException {
HttpServletRequest request = (HttpServletRequest) req;
HttpServletResponse response = (HttpServletResponse) resp;
String servletPath = request.getServletPath();
// 不需要SSL?
boolean needFilter = true;
for (String regexStr : noSslPaths) {
if (Pattern.matches(regexStr, servletPath)) {
needFilter = false;
break;
}
}
if (needFilter && !request.isSecure()) {
// 是否需要强制SSL?
boolean needRedirect = false;
for (String regexStr : sslPaths) {
if (Pattern.matches(regexStr, servletPath)) {
needRedirect = true;
break;
}
}
// 进行跳转
if (needRedirect) {
if (usingRedirect) {
try {
URI reqUri = new URI(request.getRequestURL().toString());
URI newUri = new URI("https", reqUri.getUserInfo(),
reqUri.getHost(), sslPort, reqUri.getPath(),
reqUri.getQuery(), reqUri.getFragment());
response.sendRedirect(newUri.toString());
response.flushBuffer();
return;
} catch (URISyntaxException e) {
throw new RuntimeException("请求的URL格式不正确。", e);
}
} else {
response.sendError(403, "此URL必须使用HTTPS访问。");
return;
}
}
}
filterChain.doFilter(request, response);
}
}
web.xml中的配置
...
<filter>
<filter-name>forceSSLFilter</filter-name>
<filter-class>
me.test.ForceSSLFilter
</filter-class>
<init-param>
<param-name>sslPaths</param-name>
<param-value>/auth/.*</param-value>
</init-param>
<init-param>
<param-name>noSslPaths</param-name>
<param-value>/auth/1/.*</param-value>
</init-param>
<init-param>
<param-name>sslPort</param-name>
<param-value>8443</param-value>
</init-param>
<init-param>
<param-name>usingRedirect</param-name>
<param-value>false</param-value>
</init-param>
</filter>
...
不足:Basic认证优先被Servlet容器处理,所以,会造成以下情况;
1. 用户在使用http访问必须要https访问的路径时,被提示输入用户名,密码
2. 然后,显示错误信息(“403 此URL必须使用HTTPS访问” - 如果 web.xml 中usingRedirect为false
或者 跳转到https的访问路径上,但又被要求重新输入一次密码 )
