如何强制使用 SSL 仅打开一个页面？

发布于 2024-11-06 08:04:40 字数 1024 浏览 0 评论 0原文

在我的项目中，我使用 SSL，但它适用于所有页面。我只想将它用于登录页面，在该页面之后它应该恢复为 HTTP 协议。我怎样才能做到这一点？我在下面找到了一个方法，但它不起作用。

    <security-constraint>
    <web-resource-collection>
        <web-resource-name>Notify page, accessed internally by application</web-resource-name>
        <url-pattern>/Login.xhtml</url-pattern>
    </web-resource-collection>
    <user-data-constraint>
        <transport-guarantee>CONFIDENTIAL</transport-guarantee>
    </user-data-constraint>
</security-constraint>

<security-constraint>
    <web-resource-collection>
        <web-resource-name>Entire Site</web-resource-name>
        <url-pattern>/*</url-pattern>
    </web-resource-collection>
    <user-data-constraint>
        <transport-guarantee>NONE</transport-guarantee>
    </user-data-constraint>
</security-constraint>

我的项目是一个 JSF 2.0 项目，我使用 Eclipse Helios 和 Tomcat 7.0。

谢谢。

原文

In my project, I am using SSL but it works for all pages.I want to use it for only a login page, after that page it should revert to HTTP protocol. How can i do that? I found a way below, but it does not work.

    <security-constraint>
    <web-resource-collection>
        <web-resource-name>Notify page, accessed internally by application</web-resource-name>
        <url-pattern>/Login.xhtml</url-pattern>
    </web-resource-collection>
    <user-data-constraint>
        <transport-guarantee>CONFIDENTIAL</transport-guarantee>
    </user-data-constraint>
</security-constraint>

<security-constraint>
    <web-resource-collection>
        <web-resource-name>Entire Site</web-resource-name>
        <url-pattern>/*</url-pattern>
    </web-resource-collection>
    <user-data-constraint>
        <transport-guarantee>NONE</transport-guarantee>
    </user-data-constraint>
</security-constraint>

My project is a JSF 2.0 project, I am using Eclipse Helios and Tomcat 7.0.

Thanks.

分享到QQ

分享到微博

如果你对这篇内容有疑问，欢迎到本站社区发帖提问参与讨论，获取更多帮助，或者扫码二维码加入 Web 技术交流群。

发布评论

需要登录才能够评论，你可以免费注册一个本站的账号。

深居我梦 2024-11-13 08:04:40

那是不可能的。当通过 HTTPS 请求创建会话时，该会话不可用于 HTTP 请求。您最好的选择是在登录期间自己创建一个非安全 cookie，并通过它来维护登录。

Map<String, Object> properties = new HashMap<String, Object>();
properties.put("secure", false);
externalContext.addResponseCookie(name, value, properties);

但再想一想，HTTPS登录还有什么意义呢？如果您在使用 HTTPS 后返回 HTTP，并且希望保持用户登录状态，则需要将会话 cookie 设置为不安全。这样黑客仍然能够嗅探 cookie 中的会话 ID 来进行会话固定黑客攻击。通过 HTTPS 登录，您只能防止黑客了解实际的用户名/密码，但一旦黑客计算出 cookie 中的会话 ID，这就没有任何意义了。

我想说的是，忘记开关并在登录后始终坚持使用 HTTPS。

That's not possible. When the session is created by HTTPS request, then it is not available to HTTP requests. Your best bet is to create a non-secure cookie yourself during login and maintain the login by that instead.

Map<String, Object> properties = new HashMap<String, Object>();
properties.put("secure", false);
externalContext.addResponseCookie(name, value, properties);

But think once again about this, what's the point of the HTTPS login then? If you go back to HTTP after HTTPS and you want to keep the user logged-in, then you're required to set the session cookie unsecure. This way hackers will still be able to sniff the session ID in the cookie to do a session fixation hack. With login over HTTPS you only prevent that hackers learn about the actual username/password, but that has no point anymore once a hacker figures the session ID in the cookie.

I'd say, forget the switch and stick to HTTPS all the time after login.

回复收藏 0 原文

~没有更多了~