我的tomcat(v8(配置为全局使用严格的传输安全性(HSTS(并防止点击劫持(在/opt/tomcat/conf/web.xml中(:
<filter>
<filter-name>httpHeaderSecurity</filter-name>
<filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
<async-supported>true</async-supported>
</filter>
<filter-mapping>
<filter-name>httpHeaderSecurity</filter-name>
<url-pattern>/*</url-pattern>
<url-pattern>*</url-pattern>
<dispatcher>REQUEST</dispatcher>
</filter-mapping>
我也看到,它正在发挥作用。如果我查看我的一个网络应用程序的标题,它们包含:
Strict-Transport-Security: max-age=0
X-Frame-Options: DENY
但是:在分析我的Apache Isis项目的头文件时,我发现缺少X-Frame-Options和Strict Transport Security。我的猜测是,Isis项目的web.xml中的一个过滤器存在问题,它正在覆盖全局设置。我试着对其中的一些进行评论,但要么是应用程序当时工作不正常,要么应用程序正在工作,但标题仍然不在那里。。。
我的项目web.xml是
<?xml version="1.0" encoding="UTF-8"?>
<web-app id="WebApp_ID" version="2.4"
xmlns="http://java.sun.com/xml/ns/j2ee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd">
<display-name>...</display-name>
<welcome-file-list>
<welcome-file>about/index.html</welcome-file>
</welcome-file-list>
<!-- shiro security configuration -->
<listener>
<listener-class>org.apache.shiro.web.env.EnvironmentLoaderListener</listener-class>
</listener>
<filter>
<filter-name>ShiroFilter</filter-name>
<filter-class>org.apache.shiro.web.servlet.ShiroFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>ShiroFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<!--
determines which additional configuration files to search for
-->
<context-param>
<param-name>isis.viewers</param-name>
<param-value>wicket,restfulobjects</param-value>
</context-param>
<!--
-
- config specific to the wicket-viewer
-
-->
<filter>
<filter-name>WicketFilter</filter-name>
<filter-class>org.apache.wicket.protocol.http.WicketFilter</filter-class>
<init-param>
<param-name>applicationClassName</param-name>
<param-value>domainapp.webapp.MyApplication</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>WicketFilter</filter-name>
<url-pattern>/wicket/*</url-pattern>
</filter-mapping>
<context-param>
<param-name>configuration</param-name>
<param-value>deployment</param-value>
</context-param>
</web-app>
我的项目web.xml的哪一部分可能会导致tomcat不使用默认启用的HSTS和我的ISIS项目的点击劫持预防?
多亏了Andy Huber在ASF ISIS Slack频道上的提示,我才得以解决我的问题。
Andys提示过滤器优先级是由web.xml文件中的出现顺序定义的。因此,我在项目web.xml的开头添加了安全相关的过滤器。
<?xml version="1.0" encoding="UTF-8"?>
<web-app id="WebApp_ID" version="2.4"
xmlns="http://java.sun.com/xml/ns/j2ee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd">
<display-name>...</display-name>
<welcome-file-list>
<welcome-file>about/index.html</welcome-file>
</welcome-file-list>
<filter>
<filter-name>httpHeaderSecurity</filter-name>
<filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>httpHeaderSecurity</filter-name>
<url-pattern>/*</url-pattern>
<url-pattern>*</url-pattern>
<dispatcher>REQUEST</dispatcher>
</filter-mapping>
<security-constraint>
<web-resource-collection>
<web-resource-name>Secured</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<!-- shiro security configuration -->
<listener>
<listener-class>org.apache.shiro.web.env.EnvironmentLoaderListener</listener-class>
</listener>
...
</web-app>
遗憾的是,我仍然不知道ISIS相关过滤器的哪一部分导致了最初的问题。但只要我的tomcat安全性有所提高,我就可以接受;-(