stackoom
  简体   繁体   中英

How can we Enable HSTS(HTTP Strict-Transport-Security) in weblogic server

 原文  2016-08-16 09:43:22       weblogic/ hsts

Question

I want to convert http request to https for my website. I have already taken SSL Certificate but there may be chance of bypass my Application's enabled encryption and after having certificate my application is not able to prevent accessing over unsecure connection

3 answers

solution1
 5 ACCPTED  2016-08-16 13:41:38

Unfortunately there is no easy way to enable this in weblogic (easy in form of a simple checkbox).

Your best option is probably to add your own filter to add the HSTS header. Have a look at this answer on how to do that: https://stackoverflow.com/a/30455120/1391209

Here the relevant answer text for easier reference (and in case that answer gets deleted):

You can add it using a filter. Add the following snippet to web.xml:

<filter>
    <filter-name>HSTSFilter</filter-name>
    <filter-class>security.HSTSFilter</filter-class>
</filter>

And then create a filter in your webapp:

package security;

import java.io.IOException;

import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletResponse;

public class HSTSFilter implements Filter {

    public void doFilter(ServletRequest req, ServletResponse res,
        FilterChain chain) throws IOException, ServletException {
        HttpServletResponse resp = (HttpServletResponse) res;

        if (req.isSecure())
            resp.setHeader("Strict-Transport-Security", "max-age=31622400; includeSubDomains");

        chain.doFilter(req, resp);
    }
}

solution2
 1  2016-11-24 07:20:04

use this code in your web.config

<system.webServer>
    <httpProtocol>
        <customHeaders>
            <add name="Strict-Transport-Security" value="max-age=31536000"/>
        </customHeaders>
    </httpProtocol>
</system.webServer>

solution3
 1  2020-06-03 16:02:16

Use -Dweblogic.http.headers.enableHSTS=true JVM system property for Oracle Weblogic Server 12.2.1.4 or more recent versions. Older patch sets/releases with applied October 2019 patch set update also have this functionality backported.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question How to add samesite = strict to JSESSIONID cookie in weblogic server either using servlet or configuration file itself? How add transport header in weblogic (CORS)? How can I embed Weblogic server in java? How to create security role in weblogic Which jar on weblogic server/ other resources could possibly have class: oracle.security.jps.ee.http.JpsFilter? How to enable the JMX of cluster servers on Weblogic?(not the Weblogic AdminServer itself) Can we Call EJB (Enterprise java bean) hosted on weblogic server from any other client (jboss client)? Fiddler intercept http Requests TO my Weblogic server? Can we deploy a directory application on WebLogic? How can I identify the current version of Weblogic Server
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM