首页

将 Web 中的安全约束列入白名单.xml

java tomcat web.xml struts2 security-constraint
2022-09-01 17:13:36

我正在使用Tomcat作为我的Struts2应用程序。具有某些条目,如下所示:web.xml

<security-constraint>
    <web-resource-collection>
        <web-resource-name>restricted methods</web-resource-name>
        <url-pattern>/*</url-pattern>
        <http-method>PUT</http-method>
        <http-method>DELETE</http-method>
        <http-method>TRACE</http-method>
    </web-resource-collection>
    <auth-constraint />
</security-constraint>
<security-constraint>
   <web-resource-collection>
       <web-resource-name>no_access</web-resource-name>
       <url-pattern>/jsp/*</url-pattern>
   </web-resource-collection>
   <auth-constraint/>
</security-constraint>
    <security-constraint>
   <web-resource-collection>
       <web-resource-name>no_access</web-resource-name>
       <url-pattern>/myrrunner/*</url-pattern>
   </web-resource-collection>
   <auth-constraint/>
</security-constraint>

如何将上面的黑名单部分更改为仅使用白名单部分...例如,我需要将其他方法列入白名单,而不是黑名单,http方法,但我不确定将它们列入白名单的语法以及将它们列入白名单的方法。PUTDELTE

对于我上面的片段,如果有人能为我提供上面的白色计数器部分,我将不胜感激。web.xmlxml

编辑:另外,我如何真正验证解决方案是否有效?

谢谢


答案 1

我会尝试以下操作:

<security-constraint>
    <web-resource-collection>
        <url-pattern>/*</url-pattern>
        <http-method>GET</http-method>
        <http-method>POST</http-method>
    </web-resource-collection>
    <!-- no auth-constraint tag here -->
</security-constraint>

<security-constraint>
    <web-resource-collection>
        <web-resource-name>restricted methods</web-resource-name>
        <url-pattern>/*</url-pattern>
    </web-resource-collection>
   <auth-constraint/>
</security-constraint>

第一个没有,所以GET和POST方法可供任何没有登录的人使用。第二个限制了每个人的其他http方法。(我还没有尝试过。security-constraintauth-constraint


答案 2

Java EE 6 的新功能,它简化了应用程序的安全配置。现在,您可以将 Web 中允许的 HTTP 方法列入白名单,而不是将其列入黑名单.xml:

<security-constraint>
    <web-resource-collection>
        <web-resource-name>Disable unneeded HTTP methods by 403 Forbidden them</web-resource-name>
        <url-pattern>*</url-pattern>
        <http-method-omission>GET</http-method-omission>
        <http-method-omission>HEAD</http-method-omission>
        <http-method-omission>POST</http-method-omission>
    </web-resource-collection>
    <auth-constraint />
</security-constraint>

参考资料: https://docs.oracle.com/cd/E19798-01/821-1841/bncbk/index.html#6nmq2cpkb


推荐
更多 »
标签
更多 »
php pass-by-reference optional-parameters default-value javascript arrays dom function string object serialization tostring visibility syntax jslint use-strict operators equality equality-operator identity-operator datetime timestamp date-arithmetic redirect angularjs loops foreach iteration scope variables
推荐
更多 »