当前位置:theitroad>Java 给Tomcat添加HSTS功能

Java 给Tomcat添加HSTS功能

声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow 原文地址: http://stackoverflow.com/questions/27541755/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me): StackOverFlow

提示:将鼠标放在中文语句上可以显示对应的英文。显示中英文
时间:2020-08-11 04:33:55  来源:igfitidea点击:

Add HSTS feature to Tomcat

javaspringsecuritytomcathsts

提问by epiziv

Trust you all well.

相信你们都很好。

My web application run on tomcat 6.0.43 and do not use apache or nginx at front.

我的 Web 应用程序在 tomcat 6.0.43 上运行,并且在前面不使用 apache 或 nginx。

I'm already enforce my web from http redirect to https using:

我已经使用以下命令强制我的网络从 http 重定向到 https:

  1. URL Redirect at ../webapps/ROOT/index.jsp
  1. URL 重定向在 ../webapps/ROOT/index.jsp

<% response.sendRedirect("https://www.epi.com.my/portal/"); %>

<% response.sendRedirect("https://www.epi.com.my/portal/"); %>

  1. ../webapps/myapp/WEB-INF/web.xml
  1. ../webapps/myapp/WEB-INF/web.xml
<security-constraint>
<web-resource-collection>
  <web-resource-name>Protected Context</web-resource-name>
     <url-pattern>/*</url-pattern>
 </web-resource-collection>
 <user-data-constraint>
    <transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint></security-constraint>

<security-constraint>
<web-resource-collection>
  <web-resource-name>Protected Context</web-resource-name>
     <url-pattern>/*</url-pattern>
 </web-resource-collection>
 <user-data-constraint>
    <transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint></security-constraint>

Where to add such code below

下面在哪里添加这样的代码

Header add Strict-Transport-Security "max-age=15768000"

标题添加 Strict-Transport-Security "max-age=15768000"

OR Is tomcat did not have this feature? Or I need to modify in every my java web app controller.

OR 难道tomcat没有这个功能?或者我需要在我的每个 Java Web 应用程序控制器中进行修改。

采纳答案by Severe

You can add it using a filter. Add the following snippet to web.xml:

您可以使用过滤器添加它。将以下代码段添加到 web.xml:

<filter>
    <filter-name>HSTSFilter</filter-name>
    <filter-class>security.HSTSFilter</filter-class>
</filter>

And then create a filter in your webapp:

然后在你的 webapp 中创建一个过滤器:

package security;

import java.io.IOException;

import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletResponse;

public class HSTSFilter implements Filter {

    public void doFilter(ServletRequest req, ServletResponse res,
        FilterChain chain) throws IOException, ServletException {
        HttpServletResponse resp = (HttpServletResponse) res;

        if (req.isSecure())
            resp.setHeader("Strict-Transport-Security", "max-age=31622400; includeSubDomains");

        chain.doFilter(req, resp);
    }
}

Its also possible to add the filter using the global web.xml (conf/web.xml).

也可以使用全局 web.xml (conf/web.xml) 添加过滤器。

回答by Christopher Schultz

Use url-rewrite.

使用url-rewrite

  1. Create a url-rewrite config file and put it into your web application's WEB-INF/classesdirectory
  2. Add a rule that adds that header to all requests
  1. 创建一个 url-rewrite 配置文件并将其放入您的 Web 应用程序的WEB-INF/classes目录中
  2. 添加一个将该标头添加到所有请求的规则

Note that this is not HSTS-specific: you can do anything you want with url-rewrite.

请注意,这不是特定于 HSTS 的:您可以使用 url-rewrite 做任何您想做的事情。

回答by mystygage

If you are able to use Tomcat 7 or 8, you can activate the built in HSTS filter. Uncomment httpHeaderSecurityfilter definition in tomcat/conf/web.xml

如果您能够使用 Tomcat 7 或 8,则可以激活内置的 HSTS 过滤器。取消注释httpHeaderSecurity过滤器定义tomcat/conf/web.xml

<filter>
    <filter-name>httpHeaderSecurity</filter-name>
    <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
    <async-supported>true</async-supported>
</filter>

and add a useful max age param:

并添加一个有用的最大年龄参数:

<init-param>
    <param-name>hstsMaxAgeSeconds</param-name>
    <param-value>31536000</param-value>
</init-param>

Don't forget to uncomment filter mapping:

不要忘记取消注释过滤器映射:

<filter-mapping>
    <filter-name>httpHeaderSecurity</filter-name>
    <url-pattern>/*</url-pattern>
    <dispatcher>REQUEST</dispatcher>
</filter-mapping>

回答by faizan9689

  1. just add this code in jsp under jsp scriptlet tags

    <%
    response.setHeader("Strict-Transport-Security" ,"max-age=7776000" );
%>

  1. 只需在jsp scriptlet标签下的jsp中添加此代码

    <%
    response.setHeader("Strict-Transport-Security" ,"max-age=7776000" );
%>

OR

或者

  1. Also can be add to server if JBoss then add below tags in web.xml of application

    <system.webServer>
    <httpProtocol>
        <customHeaders>
            <add name="Strict-Transport-Security" value="max-age=31536000"/>
        </customHeaders>
    </httpProtocol>
</system.webServer>

    for <system.webServer>You have to add xmlnsi other wise it will throw Parsing exception

  1. 如果 JBoss 然后在应用程序的 web.xml 中添加以下标签,也可以添加到服务器

    <system.webServer>
    <httpProtocol>
        <customHeaders>
            <add name="Strict-Transport-Security" value="max-age=31536000"/>
        </customHeaders>
    </httpProtocol>
</system.webServer>

    因为<system.webServer>你必须添加 xmlnsi 否则它会抛出解析异常

OR

或者

  1. You can do one thing: create a filter in your application and configure that application in web.xml
  1. 您可以做一件事:在您的应用程序中创建一个过滤器并在 web.xml 中配置该应用程序

相关推荐

从 java.util.Date 获取年份

从 java.util.Date 获取年份

将excel的特定列读入java程序

将excel的特定列读入java程序

为什么我仍然无法找到 Java SE 运行时环境?

为什么我仍然无法找到 Java SE 运行时环境?

Java 如何将客户端 pkcs12 证书添加到 Postman Chrome, W7 ?

Java 如何将客户端 pkcs12 证书添加到 Postman Chrome, W7 ?

相关推荐
最近更新
标签