问题
I have an servlet with security constraint in it's web.xml like below:
<security-constraint>
<web-resource-collection>
<web-resource-name>Admin</web-resource-name>
<url-pattern>/admin/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
Above forces a switch to https protocol and works fine. But on the secured pages there some relative links to unsecured pages. When users clicks on them they're opened via https which I want to avoid. Converting relative links to absolute is not an option. Servlet spec does not provide means of forcing unsecured connection so I'm going to implement a filter which would redirect user to http:
public void doFilter(ServletRequest request, ServletResponse response, FilterChain filterChain) throws IOException, ServletException {
if(!isSubjectToAuthConstraint(request)) {
// Check protocol and redirect to http if https
// ....
} else {
// Do nothing, managed by servlet spec
filterChain.doFilter(request, response);
}
}
So I need to know whether request is under security constraint or not. How do I know it programmatically? Is it possible at all?
回答1:
Hy, in normal case the https port is 443. By entering in the browser https://www.example.com:443/welcome.html the browser extends it to https://www.example.com/welcome.html
Maybe this is what you need:
String serverAddress = "";
String serverName = request.getServerName( );
String serverPort = "" + request.getServerPort( );
if( request.isSecure( ) ) {
serverAddress = "https://" + serverName + ":" + serverPort;
} else {
serverAddress = "http://" + serverName + ":" + serverPort;
}
来源:https://stackoverflow.com/questions/5442381/how-do-i-know-whether-httpservletrequest-is-subject-to-security-constraint-or