找到你要的答案

Q:Severe security constraints while tomcat 8 startup with liferay

Q:严重的安全约束在Tomcat 8启动系统

I am getting the below severe message while the tomcat 8 comes up with liferay.

SEVERE [localhost-startStop-1] org.apache.tomcat.util.descriptor.web.SecurityConstraint.findUncoveredHttpMethods For security constraints with URL pattern [/bg/c/portal/protected] only the HTTP methods [POST GET] are covered. All other methods are uncovered.
03-Sep-2015 07:06:00.733 SEVERE [localhost-startStop-1] org.apache.tomcat.util.descriptor.web.SecurityConstraint.findUncoveredHttpMethods For security constraints with URL pattern [/sv/c/portal/protected] only the HTTP methods [POST GET] are covered. All other methods are uncovered.
03-Sep-2015 07:06:00.733 SEVERE [localhost-startStop-1] org.apache.tomcat.util.descriptor.web.SecurityConstraint.findUncoveredHttpMethods For security constraints with URL pattern [/zh/c/portal/protected] only the HTTP methods [POST GET] are covered. All other methods are uncovered.

This does not have any impact on server start up but not sure what is causing this? Any help would really appreciated.

我得到的消息,在严重的Tomcat 8了Liferay。

SEVERE [localhost-startStop-1] org.apache.tomcat.util.descriptor.web.SecurityConstraint.findUncoveredHttpMethods For security constraints with URL pattern [/bg/c/portal/protected] only the HTTP methods [POST GET] are covered. All other methods are uncovered.
03-Sep-2015 07:06:00.733 SEVERE [localhost-startStop-1] org.apache.tomcat.util.descriptor.web.SecurityConstraint.findUncoveredHttpMethods For security constraints with URL pattern [/sv/c/portal/protected] only the HTTP methods [POST GET] are covered. All other methods are uncovered.
03-Sep-2015 07:06:00.733 SEVERE [localhost-startStop-1] org.apache.tomcat.util.descriptor.web.SecurityConstraint.findUncoveredHttpMethods For security constraints with URL pattern [/zh/c/portal/protected] only the HTTP methods [POST GET] are covered. All other methods are uncovered.

这不会对服务器启动产生任何影响,但不确定是什么原因造成的?任何帮助将真正感谢。

answer1: 回答1:

It means that in web.xml someone has specified security constraint just for methods POST and GET on pattern /bg/c/portal/protected, possibly in similair way to this:

<security-constraint>
    <web-resource-collection>
        <url-pattern>/bg/c/portal/protected</url-pattern>
        <http-method>POST</http-method>
        <http-method>GET</http-method>
    </web-resource-collection>
    <user-data-constraint>
        <transport-guarantee>...</transport-guarantee>
    </user-data-constraint>
</security-constraint>

You should either remove http-method brackets so it will match all methods for this url-pattern or create second one if you would like to set different security constraints on it without any http-method brackets.

For instance if you would like to secure with SSL /bg/c/portal/protected endpoint for POST and GET method, but for others you do not need that then you should create config like this:

    <security-constraint>
    <web-resource-collection>
        <url-pattern>/bg/c/portal/protected</url-pattern>
        <http-method>POST</http-method>
        <http-method>GET</http-method>
    </web-resource-collection>
    <user-data-constraint>
        <transport-guarantee>CONFIDENTIAL</transport-guarantee>
    </user-data-constraint>
</security-constraint>
    <security-constraint>
    <web-resource-collection>
        <url-pattern>/bg/c/portal/protected</url-pattern>
    </web-resource-collection>
    <user-data-constraint>
        <transport-guarantee>NONE</transport-guarantee>
    </user-data-constraint>
</security-constraint>

As you see now all methods for this pattern are covered, hence no error will be thrown.

这意味着在web.xml有指定的安全约束只是方法后得到的图案/ BG / C /门/保护,可能在相似的方式进行:

<security-constraint>
    <web-resource-collection>
        <url-pattern>/bg/c/portal/protected</url-pattern>
        <http-method>POST</http-method>
        <http-method>GET</http-method>
    </web-resource-collection>
    <user-data-constraint>
        <transport-guarantee>...</transport-guarantee>
    </user-data-constraint>
</security-constraint>

你可以删除HTTP方法括号将匹配该URL模式的所有方法或创建另一个如果你想设置不同的安全约束对它没有任何的HTTP方法支架。

例如,如果你想使用SSL / BG / C /门/保护端点后得到的方法安全,但别人不需要你,那么你应该创建配置这样的:

    <security-constraint>
    <web-resource-collection>
        <url-pattern>/bg/c/portal/protected</url-pattern>
        <http-method>POST</http-method>
        <http-method>GET</http-method>
    </web-resource-collection>
    <user-data-constraint>
        <transport-guarantee>CONFIDENTIAL</transport-guarantee>
    </user-data-constraint>
</security-constraint>
    <security-constraint>
    <web-resource-collection>
        <url-pattern>/bg/c/portal/protected</url-pattern>
    </web-resource-collection>
    <user-data-constraint>
        <transport-guarantee>NONE</transport-guarantee>
    </user-data-constraint>
</security-constraint>

正如您现在看到的,所有这些模式的方法都被覆盖,因此不会抛出错误。

security  tomcat  liferay  liferay-6  tomcat8