TOMCAT的安全性header設定

TOMCAT有內建一些關於CORS及SECURITY的HEADER, 可以的話建議打開，以利用瀏覽器所提供的安全性功能，以下是個人常用的預設設定：

修改 tomcat-home/conf/web.xml (對所有apps生效):

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59

<filter> <filter-name>HeaderSecurityFilter</filter-name> <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class> <init-param> <param-name>hstsEnabled</param-name><param-value>true</param-value></init-param> <init-param> <param-name>hstsMaxAgeSeconds</param-name><param-value>15768000</param-value></init-param> <init-param> <param-name>hstsIncludeSubDomains</param-name><param-value>true</param-value></init-param> <init-param> <param-name>antiClickJackingEnabled</param-name><param-value>true</param-value></init-param> <init-param> <param-name>antiClickJackingOption</param-name><param-value>SAMEORIGIN</param-value></init-param> <init-param> <param-name>antiClickJackingUri</param-name><param-value></param-value></init-param> <init-param> <param-name>blockContentTypeSniffingEnabled</param-name><param-value>true</param-value></init-param> <init-param> <param-name>xssProtectionEnabled</param-name><param-value>true</param-value></init-param> </filter> <filter> <filter-name>CorsFilter</filter-name> <filter-class>org.apache.catalina.filters.CorsFilter</filter-class> <init-param> <param-name>cors.allowed.origins</param-name><param-value>https://your.domain.com</param-value></init-param> <!-- <init-param> <param-name>cors.allowed.methods</param-name><param-value>GET,POST,HEAD,OPTIONS,PUT</param-value></init-param> <init-param> <param-name>cors.allowed.headers</param-name><param-value>Content-Type,X-Requested-With,accept,Origin,Access-Control-Request-Method,Access-Control-Request-Headers</param-value></init-param> <init-param> <param-name>cors.exposed.headers</param-name><param-value>Access-Control-Allow-Origin,Access-Control-Allow-Credentials</param-value></init-param> <init-param> <param-name>cors.support.credentials</param-name><param-value>true</param-value></init-param> <init-param> <param-name>cors.preflight.maxage</param-name><param-value>10</param-value></init-param> --> </filter> <filter-mapping> <filter-name>HeaderSecurityFilter</filter-name> <url-pattern>/*</url-pattern> <!--<servlet-name>*</servlet-name>--> <dispatcher>REQUEST</dispatcher> <dispatcher>FORWARD</dispatcher> <dispatcher>INCLUDE</dispatcher> <dispatcher>ERROR</dispatcher> <dispatcher>ASYNC</dispatcher> </filter-mapping> <filter-mapping> <filter-name>CorsFilter</filter-name> <url-pattern>/*</url-pattern> <!--<servlet-name>*</servlet-name>--> <dispatcher>REQUEST</dispatcher> <dispatcher>FORWARD</dispatcher> <dispatcher>INCLUDE</dispatcher> <dispatcher>ERROR</dispatcher> <dispatcher>ASYNC</dispatcher> </filter-mapping>

ref:
https://tomcat.apache.org/tomcat-8.5-doc/config/filter.html#CORS_Filter
https://tomcat.apache.org/tomcat-8.5-doc/config/filter.html#HTTP_Header_Security_Filter
https://wiki.mozilla.org/Security/Guidelines/Web_Security#Content_Security_Policy
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers
HTTP Headers 的資安議題 (1)
HTTP Headers 的資安議題 (2)
HTTP Headers 的資安議題 (3)

TOMCAT自訂共用library目錄

常常TOMCAT裡的apps都會共用一些library，而通常的做法是直接丟到${catalina.base}/lib裡面去，不過有時在搬移網站時，常常就會忘了哪些是自已新增的lib.jar了 XDD
因此可以另外建一個目錄來放自已的共用jar library。譬如先建一個common-lib專放自已共用的jar:

修改/conf/catalina.properties的shared.loader or common.loader屬性，新增路徑:

1 2 3

shared.loader="${catalina.base}/common-lib","${catalina.base}/common-lib/*.jar","${catalina.home}/common-lib","${catalina.home}/common-lib/*.jar" ...或 common.loader="${catalina.base}/lib","${catalina.base}/lib/*.jar","${catalina.home}/lib","${catalina.home}/lib/*.jar"

找出由大到小第N個項目

找出由大到小第N個項目，蠻有創意的SQL寫法

1 2 3 4 5 6 7

SELECT * FROM Employee Emp1 WHERE (N-1) = ( SELECT COUNT(DISTINCT(Emp2.Salary)) FROM Employee Emp2 WHERE Emp2.Salary > Emp1.Salary )

讓TOMCAT能辨識URLEncode的中文檔名

TOMCAT預設是以ISO-8859-1來解讀經過URL Encode的URL的，因此要改為告訴TOMCAT所有URL經過URL Decode後要以UTF-8來解讀。

修改 bin/catalina.sh:

1 2	JAVA_OPTS="-Djavax.servlet.request.encoding=UTF-8 -Dfile.encoding=UTF-8 -Dsun.jnu.encoding=UTF-8 -Duser.timezone=GMT+08 ${JAVA_OPTS}" (-Dsun.jnu.encoding=UTF-8可有可無)

或修改 conf/web.xml (有修改catalina.sh就不用改web.xml)

1 2 3 4 5 6 7 8 9 10 11 12 13 14

<!--A filter that sets character encoding that is used to decode--> <!--parameters in a POST request--> <filter> <filter-name>setCharacterEncodingFilter</filter-name> <filter-class>org.apache.catalina.filters.SetCharacterEncodingFilter</filter-class> <init-param> <param-name>encoding</param-name> <param-value>UTF-8</param-value> </init-param> </filter> <!--The mapping for the Set Character Encoding Filter--> <filter-mapping> <filter-name>setCharacterEncodingFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping>

修改 conf/server.xml:

1 2 3 4 5

<Connector port="80" protocol="HTTP/1.1" ... URIEncoding="utf-8" useBodyEncodingForURI="true" ... >

URIEncoding：對於URI，決定要以何種編碼來處理。
useBodyEncodingForURI：對於URI，決定是否要以request HEADER中的Content-Type中的編碼類型訊息、或request.setCharacterEncoding()方法中指定的編碼來處理，若為false則一律以URIEncoding所指定的編碼來處理。

而編寫網頁時，最好能自行將下載鏈結等先做URL Encode，而不是讓瀏覽器去幫你做，因為不是每個瀏覽器都會自動以URL Encode(UTF-8)來傳送的。 如果是有在寫jsp，那麼在web.xml加上：

1 2 3 4 5 6

<jsp-config> <jsp-property-group> <url-pattern>*.jsp</url-pattern> <pageencoding>UTF-8</pageencoding> </jsp-property-group> </jsp-config>

Netbeans 一直出現 duplicate class 的錯誤

明明你很確定同一個package的class名稱並沒有重複，
但Netbeans就是會告訴你有duplicate class name，並出現討厭的驚嘆號，
這時候不要懷疑，你的Netbeans壞掉了！

不過解決方法很簡單，不用重裝不用升級，只要把Netbeans的cache清除掉就可以了！

WINDOWS:
C:\Users\\AppData\Local\NetBeans\Cache\

LINUX:
~/.cache/netbeans/${netbeans_version}/index/

MAC:
~/Library/Caches/NetBeans/${netbeans_version}/

或著在Netbeans的選單「Help » About」裡面就可以找到Cache directory的路徑了。