1.Tomcat中原生的Security
2.配置Tomcat的web.xml
Tomcat中原生的Security
Tomcat中的安全管理原理基本与前面JDK中的security类似,只是启动时需要在start后面添加-security参数,tomcat会自动读取 conf/catalina.policy 文件中的权限配置。启动命令如下:
①.startup.bat -security
②.catalina.bat -security
配置Tomcat的web.xml
1.最简单的security
说明:所有用户禁止访问所有源文件
<security-constraint>
<display-name>interceptor-jsp</display-name>
<web-resource-collection>
<web-resource-name>JSPs</web-resource-name>
// 禁止访问的目录
<url-pattern>*.js</url-pattern>
</web-resource-collection>
//tomcat所有用户
<auth-constraint/>
</security-constraint>
//BASIC使用basic校验方式
<login-config>
<auth-method>BASIC</auth-method>
</login-config>
2.加用户限制
说明:1.对指定文件限制;2.需输入tomcat用户验证
<security-constraint>
<display-name>interceptor-jsp</display-name>
<web-resource-collection>
<web-resource-name>JSPs</web-resource-name>
<url-pattern>*.js</url-pattern>
<url-pattern>*.html</url-pattern>
//禁止以下请求方式
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
//tomcat次角色可访问,并弹出输入tomcat的用户名,密码提示
<auth-constraint>
<role-name>tomcat</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
</login-config>
<security-role>
//角色描述
<description>
The role that is required to log in to the Administration Application
</description>
<role-name>tomcat</role-name>
</security-role
响应结果:
访问首页时需输入tomcat用户信息
访问.js文件响应结果
配置html的META
设置Content-Security-Policy头信息
具体参数:https://www.cnblogs.com/heyuqing/p/6215761.html
<meta http-equiv="Content-Security-Policy" content="
default-src 'none';
connect-src *;
script-src 'self' 'unsafe-inline' 'unsafe-eval' http://api.map.baidu.com http://webapi.amap.com https://hm.baidu.com;
style-src 'self' 'unsafe-inline';
media-src 'self';
object-src 'self';
img-src 'self'
">