首页 > 代码库 > (HTTPS)-强制 SSL (HTTPS)Filter

(HTTPS)-强制 SSL (HTTPS)Filter

汗,无知真可怕,Servlert规范中已经有自动跳转到保护页面(Http - Https)的方法了:
web.xml
 
    <security-constraint>
        <display-name>Test Auth</display-name>
        <web-resource-collection>
          <web-resource-name>Protected Area</web-resource-name>
          <url-pattern>/*</url-pattern> <!-- 整站SSL -->
          <http-method>DELETE</http-method>
          <http-method>GET</http-method>
          <http-method>POST</http-method>
          <http-method>PUT</http-method>
        </web-resource-collection>
        <user-data-constraint>
          <description>SSL required</description>
          <transport-guarantee>CONFIDENTIAL</transport-guarantee>
        </user-data-constraint>
      </security-constraint>
 
Basic 认证 + SSL
 
    <security-constraint>
        <display-name>Test Auth</display-name>
        <web-resource-collection>
          <web-resource-name>Protected Area</web-resource-name>
          <url-pattern>/auth/*</url-pattern>
          <http-method>DELETE</http-method>
          <http-method>GET</http-method>
          <http-method>POST</http-method>
          <http-method>PUT</http-method>
        </web-resource-collection>
        <auth-constraint>
          <role-name>ADMIN</role-name>
          <role-name>USER</role-name>
        </auth-constraint>
        <user-data-constraint>
          <transport-guarantee>CONFIDENTIAL</transport-guarantee>
        </user-data-constraint>
      </security-constraint>
 
回头想想前面的工作真可笑。
--------------------------
在Web工程中,如果使用HTTP Basic认证,或FORM认证,为了安全性,最好使用HTTPS的。
因此我们需要禁止HTTP访问,只能HTTPS访问。
如果大家感兴趣,可以研究下Spring Security(偶也不懂,貌似它能做到HTTPS与HTTP Session共享)。
先了解一下URL和URI在java.net.* 包中的用法和区别。详尽描述请参考Javadoc描述:
URLTest.java
 
    package me.test;
    import java.net.URI;
    import java.net.URL;
    public class URLTest {
        public static void main(String[] args) throws Exception {
            URL u1 = new URL(
                    "ftp://zhang3:123456@192.168.1.1:556/zhang.txt?k1=v1&k2=v2#aa");
            System.out.println(u1.toString());
            System.out.println(u1.toExternalForm());
            System.out.println(u1.toURI());
            URL u2 = new URL(
                    "https",
                    u1.getHost(),
                    8443,
                    u1.getFile());
            // 以下三行的数据均为:
            // https://192.168.1.1:8443/zhang.txt?k1=v1&k2=v2
            System.out.println(u2.toString());
            System.out.println(u2.toExternalForm());
            System.out.println(u2.toURI());
            System.out.println("----------------");
            URI i1 = new URI(
                    "ftp://zhang3:123456@192.168.1.1:556/zhang.txt?k1=v1&k2=v2#aa");
            URI i2 = new URI(
                    "https",
                    i1.getUserInfo(),
                    i1.getHost(),
                    8443,
                    i1.getPath(),
                    i1.getQuery(),
                    i1.getFragment());
            // 以下两行均输出
            // https://zhang3:123456@192.168.1.1:8443/zhang.txt?k1=v1&k2=v2#aa
            System.out.println(i2.toURL());
            System.out.println(i2.toString());
        }
    }
 
以下是偶的Filter:
ForceSSLFilter.java
 
    /*
     * @(#)ForceSSLFilter.java
     *
     * Copyright (c) 2011, Digital Yingtan Construction Committee.
     */
    package me.test;
    import java.io.IOException;
    import java.net.URI;
    import java.net.URISyntaxException;
    import java.util.ArrayList;
    import java.util.List;
    import java.util.regex.Pattern;
    import javax.servlet.Filter;
    import javax.servlet.FilterChain;
    import javax.servlet.FilterConfig;
    import javax.servlet.ServletException;
    import javax.servlet.ServletRequest;
    import javax.servlet.ServletResponse;
    import javax.servlet.http.HttpServletRequest;
    import javax.servlet.http.HttpServletResponse;
    import org.apache.commons.lang.StringUtils;
    /**
     * 对某些路径强制使用SSL的Filter。
     * 如果请求的URL不是 https,则会使其重定向到相应的https路径上。
     *
     * 注意:此Filter目前只能用于无状态的WebService等路径。因为https与http在Tomcat等
     * Servlet容器中会使用不同的SESSION。
     *
     * @author 张亮亮 2011/05/26 新建
     */
    public class ForceSSLFilter implements Filter {
        /** 需要强制使用SSL的路径。 */
        protected List<String> sslPaths = null;
        /** 不需要强制使用SSL的路径。 */
        protected List<String> noSslPaths = null;
        /** SSL的端口。 */
        protected int sslPort = 443;
        /** 是否使用重定向。 */
        protected boolean usingRedirect = true;
        /**
         * 获得初始值。
         *
         * @param fc 配置信息
         */
        public void init(FilterConfig fc) throws ServletException {
            // 参数:需要强制使用SSL的路径
            String paths = fc.getInitParameter("sslPaths");
            sslPaths = new ArrayList<String>();
            if (StringUtils.isNotBlank(paths)) {
                for (String regexStr : paths.split(",")) {
                    if (StringUtils.isNotBlank(regexStr)) {
                        sslPaths.add(regexStr.trim());
                    }
                }
            }
            // 参数:不需要强制使用SSL的路径
            paths = fc.getInitParameter("noSslPaths");
            noSslPaths = new ArrayList<String>();
            if (StringUtils.isNotBlank(paths)) {
                for (String regexStr : paths.split(",")) {
                    if (StringUtils.isNotBlank(regexStr)) {
                        noSslPaths.add(regexStr.trim());
                    }
                }
            }
            // 参数:SSL的端口
            String port = fc.getInitParameter("sslPort");
            if (StringUtils.isNotBlank(port)) {
                sslPort = Integer.valueOf(port);
            }
            // 参数:是否使用重定向
            String redirect = fc.getInitParameter("usingRedirect");
            if (StringUtils.isNotBlank(redirect)) {
                usingRedirect = Boolean.valueOf(redirect);
            }
        }
        /**
         *
         */
        public void destroy() {
        }
        /**
         *单点登录主要处理方法。
         *
         * @param req 请求
         * @param resp 响应
         * @param filterChain 响应链
         */
        public void doFilter(ServletRequest req, ServletResponse resp,
                FilterChain filterChain) throws IOException, ServletException {
            HttpServletRequest request = (HttpServletRequest) req;
            HttpServletResponse response = (HttpServletResponse) resp;
            String servletPath = request.getServletPath();
            // 不需要SSL?
            boolean needFilter = true;
            for (String regexStr : noSslPaths) {
                if (Pattern.matches(regexStr, servletPath)) {
                    needFilter = false;
                    break;
                }
            }
            if (needFilter && !request.isSecure()) {
                // 是否需要强制SSL?
                boolean needRedirect = false;
                for (String regexStr : sslPaths) {
                    if (Pattern.matches(regexStr, servletPath)) {
                        needRedirect = true;
                        break;
                    }
                }
                // 进行跳转
                if (needRedirect) {
                    if (usingRedirect) {
                        try {
                            URI reqUri = new URI(request.getRequestURL().toString());
                            URI newUri = new URI("https", reqUri.getUserInfo(),
                                    reqUri.getHost(), sslPort, reqUri.getPath(),
                                    reqUri.getQuery(), reqUri.getFragment());
 
                            response.sendRedirect(newUri.toString());
                            response.flushBuffer();
                            return;
                        } catch (URISyntaxException e) {
                            throw new RuntimeException("请求的URL格式不正确。", e);
                        }
                    } else {
                        response.sendError(403, "此URL必须使用HTTPS访问。");
                        return;
                    }
                }
            }
            filterChain.doFilter(request, response);
        }
    }
 
web.xml中的配置
 
    ...
    <filter>
        <filter-name>forceSSLFilter</filter-name>
        <filter-class>
          me.test.ForceSSLFilter
        </filter-class>
        <init-param>
           <param-name>sslPaths</param-name>
           <param-value>/auth/.*</param-value>
        </init-param>
        <init-param>
           <param-name>noSslPaths</param-name>
           <param-value>/auth/1/.*</param-value>
        </init-param>
        <init-param>
           <param-name>sslPort</param-name>
           <param-value>8443</param-value>
        </init-param>
        <init-param>
           <param-name>usingRedirect</param-name>
           <param-value>false</param-value>
        </init-param>
      </filter>
    ...
 
不足:Basic认证优先被Servlet容器处理,所以,会造成以下情况;
1. 用户在使用http访问必须要https访问的路径时,被提示输入用户名,密码
2. 然后,显示错误信息(“403 此URL必须使用HTTPS访问” - 如果 web.xml 中usingRedirect为false
或者 跳转到https的访问路径上,但又被要求重新输入一次密码 )
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

(HTTPS)-强制 SSL (HTTPS)Filter