We are trying to implement HTTPS for some pages in our application.So,we changed tomcat server.xml to make HTTPS calls as follows:
<Connector
port="8080"
protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8443"
acceptCount="100"
maxKeepAliveRequests="15"
SSLEnabled="true"
scheme="https"
secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="/webapps/test.bin"
keystorePass="test"/>
In application web.xml :
<security-constraint>
<web-resource-collection>
<web-resource-name>securedapp</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
So,HTTPS is applying for all pages.How to restrict HTTPS for desired pages.
Help would be appreciated.
Spring Security Interceptor have a parameter requires-channel
. Set this parameter to https
to enforce it for the url patterns that match the interceptor.
<beans xmlns="http://www.springframework.org/schema/beans" xmlns:security="http://www.springframework.org/schema/security" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:util="http://www.springframework.org/schema/util" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.4.xsd
http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd">
<security:http>
<security:intercept-url pattern="/login" access="permitAll"
requires-channel="https"/>
</security:http>
</bean>
Create the below class
public class RestHttpRequestFilter implements Filter {
public void destroy() {
}
public void doFilter(ServletRequest servletRequest,
ServletResponse servletResponse, FilterChain filterChain)
throws IOException, ServletException {
// if the ServletRequest is an instance of HttpServletRequest
if (servletRequest instanceof HttpServletRequest) {
HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
System.out.println(httpServletRequest.getRequestURL());
if (httpServletRequest.getRequestURL().toString().contains("/user/account")
&& servletRequest.getProtocol().contains("HTTP")) {
throw new ResourceNotFoundException(
"The url should be HTTPS");
}
filterChain.doFilter(httpServletRequest, servletResponse);
} else {
// otherwise, continue on in the chain with the ServletRequest and
// ServletResponse objects
filterChain.doFilter(servletRequest, servletResponse);
}
return;
}
public void init(FilterConfig filterConfig) throws ServletException {}
}
web.xml entry
<filter>
<filter-name>simpleFilter</filter-name>
<filter-class>RestHttpRequestFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>simpleFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
简单的解决方案是使用HttpFilter来检查协议和URL模式,并决定是将转发转发给应用程序还是抛出异常,导致用户看到错误页面。
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.