Add HSTS feature to Tomcat

大憨熊 提交于 2019-12-20 10:05:14

问题


Trust you all well.

My web application run on tomcat 6.0.43 and do not use apache or nginx at front.

I'm already enforce my web from http redirect to https using:

  1. URL Redirect at ../webapps/ROOT/index.jsp

<% response.sendRedirect("https://www.epi.com.my/portal/"); %>

  1. ../webapps/myapp/WEB-INF/web.xml
<security-constraint>
<web-resource-collection>
  <web-resource-name>Protected Context</web-resource-name>
     <url-pattern>/*</url-pattern>
 </web-resource-collection>
 <user-data-constraint>
    <transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint></security-constraint>

Where to add such code below

Header add Strict-Transport-Security "max-age=15768000"

OR Is tomcat did not have this feature? Or I need to modify in every my java web app controller.


回答1:


You can add it using a filter. Add the following snippet to web.xml:

<filter>
    <filter-name>HSTSFilter</filter-name>
    <filter-class>security.HSTSFilter</filter-class>
</filter>

And then create a filter in your webapp:

package security;

import java.io.IOException;

import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletResponse;

public class HSTSFilter implements Filter {

    public void doFilter(ServletRequest req, ServletResponse res,
        FilterChain chain) throws IOException, ServletException {
        HttpServletResponse resp = (HttpServletResponse) res;

        if (req.isSecure())
            resp.setHeader("Strict-Transport-Security", "max-age=31622400; includeSubDomains");

        chain.doFilter(req, resp);
    }
}

Its also possible to add the filter using the global web.xml (conf/web.xml).




回答2:


If you are able to use Tomcat 7 or 8, you can activate the built in HSTS filter. Uncomment httpHeaderSecurity filter definition in tomcat/conf/web.xml

<filter>
    <filter-name>httpHeaderSecurity</filter-name>
    <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
    <async-supported>true</async-supported>
</filter>

and add a useful max age param:

<init-param>
    <param-name>hstsMaxAgeSeconds</param-name>
    <param-value>31536000</param-value>
</init-param>

Don't forget to uncomment filter mapping:

<filter-mapping>
    <filter-name>httpHeaderSecurity</filter-name>
    <url-pattern>/*</url-pattern>
    <dispatcher>REQUEST</dispatcher>
</filter-mapping>



回答3:


Use url-rewrite.

  1. Create a url-rewrite config file and put it into your web application's WEB-INF/classes directory
  2. Add a rule that adds that header to all requests

Note that this is not HSTS-specific: you can do anything you want with url-rewrite.




回答4:


  1. just add this code in jsp under jsp scriptlet tags

    <%
        response.setHeader("Strict-Transport-Security" ,"max-age=7776000" );
    %>
    

OR

  1. Also can be add to server if JBoss then add below tags in web.xml of application

    <system.webServer>
        <httpProtocol>
            <customHeaders>
                <add name="Strict-Transport-Security" value="max-age=31536000"/>
            </customHeaders>
        </httpProtocol>
    </system.webServer>
    

    for <system.webServer> You have to add xmlnsi other wise it will throw Parsing exception

OR

  1. You can do one thing: create a filter in your application and configure that application in web.xml


来源:https://stackoverflow.com/questions/27541755/add-hsts-feature-to-tomcat

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!