如何强制页面只能通过HTTPS访问。需要通过Spring MVC 3配置文件完成此操作。
如何强制页面只能通过HTTPS访问。需要通过Spring MVC 3配置文件完成此操作。
Spring-security有这样的配置。在此处查看如何实现。简而言之-你可以强制通道使用https:
<http>
<intercept-url pattern="/secure/**" access="ROLE_USER"
requires-channel="https"/>
<intercept-url pattern="/**" access="ROLE_USER"
requires-channel="any"/>
</http>
如果您不想使用spring-security,这里是一个我写的拦截器:
@Component
public class SslInterceptor extends HandlerInterceptorAdapter {
// no need to inject it for now..
private PathMatcher pathMatcher = new AntPathMatcher();
@Value("${base.url.secure}")
private String secureRoot;
@Resource(name="secureLocations")
private List<String> secureLocations;
@Value("${use.ssl}")
private boolean useSsl;
@Override
public boolean preHandle(HttpServletRequest request,
HttpServletResponse response, Object handler) throws Exception {
if (useSsl && !request.isSecure() && shouldForceSecure(request.getRequestURI())) {
String redirectUrl = secureRoot + request.getRequestURI();
if (request.getQueryString() != null) {
redirectUrl += "?" + request.getQueryString();
}
// force session creation - thus it will be accessible to both the
// secure and the insecure contexts
request.getSession(true);
response.sendRedirect(redirectUrl);
return false;
}
return true;
}
private boolean shouldForceSecure(String path) {
for (String pattern : secureLocations) {
if (pathMatcher.match(pattern, path)) {
return true;
}
}
return false;
}
}
对于没有Spring安全框架的基于注释的方法,我编写了一个拦截器和一个新的注释:
/**
* Request mapping annotation to enforce secure or insecure requests.
* Per default the annotated mapping is enforced to be secure.
*
* @see org.springframework.web.bind.annotation.RequestMapping
*/
@Target({ElementType.METHOD, ElementType.TYPE})
@Retention(RetentionPolicy.RUNTIME)
@Documented
@Mapping
public @interface RequestProtocol {
boolean secure() default true;
}
@RequestMapping(value = "/secret", method = RequestMethod.GET)
@RequestProtocol(secure = true)
@ResponseBody
public Result doSecure(@Valid Model model) {
return doSomething(model));
}
/**
* Interceptor to send a redirect on security enforced mappings with wrong type of request.
*
* @see RequestProtocol
*/
class RequestProtocolInterceptor extends HandlerInterceptorAdapter {
private static final int PORT_DIFF = 443 - 80;
@Override
public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) throws IOException {
Boolean secure = checkSecure(handler);
if (secure != null && request.isSecure() != secure) {
response.sendRedirect(switchSecure(secure, request.getRequestURL()));
return false;
}
return true;
}
private Boolean checkSecure(Object handler) {
if (handler instanceof HandlerMethod) {
HandlerMethod method = (HandlerMethod)handler;
RequestProtocol annotation = method.getMethodAnnotation(RequestProtocol.class);
if (annotation == null) {
annotation = AnnotationUtils.findAnnotation(method.getBeanType(), RequestProtocol.class);
}
return annotation == null ? null : annotation.secure();
}
return null;
}
private String switchSecure(boolean secure, StringBuffer url) {
int endSchema = url.indexOf("://");
url.replace(0, endSchema, secure ? "https" : "http");
int startPort = url.indexOf(":", endSchema + 3);
if (startPort != -1) {
int endPort = url.indexOf("/", startPort);
int port = Integer.parseInt(url.substring(startPort + 1, endPort));
port += secure ? PORT_DIFF : -PORT_DIFF;
url.replace(startPort + 1, endPort, String.valueOf(port));
}
return url.toString();
}
}
@Configuration
@EnableWebMvc
public class MyConfiguration extends WebMvcConfigurerAdapter {
@Override
public void addInterceptors(InterceptorRegistry registry) {
registry.addInterceptor(new RequestProtocolInterceptor());
}
}
您可以在Tomcat配置中完成此操作。
尝试在server.xml中的HTTP连接器中添加redirectPort =""。
希望能对您有所帮助。
更新:
本文将为您解释如何处理SSL,并提供了很多示例。