tomcat 8 使用 liferay 启动时存在严重的安全限制
Severe security constraints while tomcat 8 startup with liferay
当 tomcat 8 出现 liferay 时,我收到以下严重消息。
SEVERE [localhost-startStop-1] org.apache.tomcat.util.descriptor.web.SecurityConstraint.findUncoveredHttpMethods For security constraints with URL pattern [/bg/c/portal/protected] only the HTTP methods [POST GET] are covered. All other methods are uncovered.
03-Sep-2015 07:06:00.733 SEVERE [localhost-startStop-1] org.apache.tomcat.util.descriptor.web.SecurityConstraint.findUncoveredHttpMethods For security constraints with URL pattern [/sv/c/portal/protected] only the HTTP methods [POST GET] are covered. All other methods are uncovered.
03-Sep-2015 07:06:00.733 SEVERE [localhost-startStop-1] org.apache.tomcat.util.descriptor.web.SecurityConstraint.findUncoveredHttpMethods For security constraints with URL pattern [/zh/c/portal/protected] only the HTTP methods [POST GET] are covered. All other methods are uncovered.
这对服务器启动没有任何影响,但不确定是什么原因造成的?非常感谢任何帮助。
这意味着在 web.xml 中有人仅针对方法 POST 和模式 /bg/c/portal/protected 上的 GET 指定了安全约束,可能与此类似:
<security-constraint>
<web-resource-collection>
<url-pattern>/bg/c/portal/protected</url-pattern>
<http-method>POST</http-method>
<http-method>GET</http-method>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>...</transport-guarantee>
</user-data-constraint>
</security-constraint>
您应该删除 http-method 方括号,以便它匹配此 url-pattern 的所有方法,或者创建第二个方括号,如果您想在其上设置不同的安全限制而不使用任何 http-method括号。
例如,如果您想使用 SSL /bg/c/portal/protected 端点保护 POST 和 GET 方法,但对于其他方法您不需要,那么您应该创建一个配置像这样:
<security-constraint>
<web-resource-collection>
<url-pattern>/bg/c/portal/protected</url-pattern>
<http-method>POST</http-method>
<http-method>GET</http-method>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<url-pattern>/bg/c/portal/protected</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
如您所见,此模式的所有方法都已涵盖,因此不会抛出任何错误。
当 tomcat 8 出现 liferay 时,我收到以下严重消息。
SEVERE [localhost-startStop-1] org.apache.tomcat.util.descriptor.web.SecurityConstraint.findUncoveredHttpMethods For security constraints with URL pattern [/bg/c/portal/protected] only the HTTP methods [POST GET] are covered. All other methods are uncovered.
03-Sep-2015 07:06:00.733 SEVERE [localhost-startStop-1] org.apache.tomcat.util.descriptor.web.SecurityConstraint.findUncoveredHttpMethods For security constraints with URL pattern [/sv/c/portal/protected] only the HTTP methods [POST GET] are covered. All other methods are uncovered.
03-Sep-2015 07:06:00.733 SEVERE [localhost-startStop-1] org.apache.tomcat.util.descriptor.web.SecurityConstraint.findUncoveredHttpMethods For security constraints with URL pattern [/zh/c/portal/protected] only the HTTP methods [POST GET] are covered. All other methods are uncovered.
这对服务器启动没有任何影响,但不确定是什么原因造成的?非常感谢任何帮助。
这意味着在 web.xml 中有人仅针对方法 POST 和模式 /bg/c/portal/protected 上的 GET 指定了安全约束,可能与此类似:
<security-constraint>
<web-resource-collection>
<url-pattern>/bg/c/portal/protected</url-pattern>
<http-method>POST</http-method>
<http-method>GET</http-method>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>...</transport-guarantee>
</user-data-constraint>
</security-constraint>
您应该删除 http-method 方括号,以便它匹配此 url-pattern 的所有方法,或者创建第二个方括号,如果您想在其上设置不同的安全限制而不使用任何 http-method括号。
例如,如果您想使用 SSL /bg/c/portal/protected 端点保护 POST 和 GET 方法,但对于其他方法您不需要,那么您应该创建一个配置像这样:
<security-constraint>
<web-resource-collection>
<url-pattern>/bg/c/portal/protected</url-pattern>
<http-method>POST</http-method>
<http-method>GET</http-method>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<url-pattern>/bg/c/portal/protected</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
如您所见,此模式的所有方法都已涵盖,因此不会抛出任何错误。