当前位置：文江博客话题详情

Tomcat 有效用户的安全约束

发布于 2024-07-26 01:44:19 字数 165 浏览 7 评论 0原文

我试图保护 tomcat 中的资源，以便只有“有效用户”（在领域中具有有效登录名和密码的用户）才能访问它。他们不一定属于领域内的某个群体。我尝试了指令的多种组合，但没有成功。有任何想法吗？

原文

分享到QQ

分享到微博

如果你对这篇内容有疑问，欢迎到本站社区发帖提问参与讨论，获取更多帮助，或者扫码二维码加入 Web 技术交流群。

发布评论

需要登录才能够评论，你可以免费注册一个本站的账号。

同尘 2024-08-02 01:44:19

除了您要添加到安全约束中的身份验证约束之外：

   <auth-constraint>
       <role-name>*</role-name>
   </auth-constraint>

您还需要在网络应用程序中指定安全角色：

    <security-role>
        <role-name>*</role-name>
    </security-role>

Besides the auth-constraint you are adding to the security-constraint:

   <auth-constraint>
       <role-name>*</role-name>
   </auth-constraint>

you need specify the security role in the web-app:

    <security-role>
        <role-name>*</role-name>
    </security-role>

回复收藏 0 原文

书间行客 2024-08-02 01:44:19

tomcat中有多种领域实现——内存、数据库、JAAS等等。最容易配置（尽管不是最安全）的内存配置，它包含单个 XML 文件，通常位于 conf/tomcat-users.xml 下：

<tomcat-users>
  <user name="tomcat" password="tomcat" roles="tomcat" />
  <user name="role1"  password="tomcat" roles="role1"  />
  <user name="both"   password="tomcat" roles="tomcat,role1" />
</tomcat-users>

领域配置位于上下文、主机或引擎配置下，如下所示

<Realm className="org.apache.catalina.realm.MemoryRealm"
       pathname="conf/tomcat-users.xml" />

：，在 web.xml 中添加以下定义：

    <security-constraint>
            <web-resource-collection>
                    <web-resource-name>MRC Customer Care</web-resource-name>
                    <url-pattern>/protected/*</url-pattern>
            </web-resource-collection>
            <auth-constraint>
                    <role-name>role1</role-name>
            </auth-constraint>
    </security-constraint>

    <!-- Define the Login Configuration for this Application -->
    <login-config>
            <auth-method>DIGEST</auth-method>
            <realm-name>YOUR REALM NAME</realm-name>
    </login-config>

    <security-role>
            <description>
              The role that is required to access the application. 
              Should be on from the realm (the tomcat-users.xml file).
            </description>
            <role-name>role1</role-name>                  
    </security-role>

web.xml 部分取自我们的一个 Web 应用程序（略有更改）。

There are several realm implementation in tomcat - memory, database, JAAS and more. The easiest one to configure (though not the most secure) the memory one, which contains a single XML file, usually under conf/tomcat-users.xml:

<tomcat-users>
  <user name="tomcat" password="tomcat" roles="tomcat" />
  <user name="role1"  password="tomcat" roles="role1"  />
  <user name="both"   password="tomcat" roles="tomcat,role1" />
</tomcat-users>

The realm configuration is under the context, host or engine configurations, like this:

<Realm className="org.apache.catalina.realm.MemoryRealm"
       pathname="conf/tomcat-users.xml" />

Then, in the web.xml you put the following definition:

    <security-constraint>
            <web-resource-collection>
                    <web-resource-name>MRC Customer Care</web-resource-name>
                    <url-pattern>/protected/*</url-pattern>
            </web-resource-collection>
            <auth-constraint>
                    <role-name>role1</role-name>
            </auth-constraint>
    </security-constraint>

    <!-- Define the Login Configuration for this Application -->
    <login-config>
            <auth-method>DIGEST</auth-method>
            <realm-name>YOUR REALM NAME</realm-name>
    </login-config>

    <security-role>
            <description>
              The role that is required to access the application. 
              Should be on from the realm (the tomcat-users.xml file).
            </description>
            <role-name>role1</role-name>                  
    </security-role>

The web.xml part is taken (with slight change) from one of our web apps.

回复收藏 0 原文

无需解释 2024-08-02 01:44:19

如果我们使用 Tomcat 8.x ，因为提供的 server.xml 将出现在嵌套的 Realm 元素中，请在“最外面”的 Realm 元素中添加 'allRolesMode="authOnly"' 并更改上述 web.xml 进行测试。
例如，

  <Realm allRolesMode="authOnly" className="org.apache.catalina.realm.LockOutRealm">
    <!-- This Realm uses the UserDatabase configured in the global JNDI
         resources under the key "UserDatabase".  Any edits
         that are performed against this UserDatabase are immediately
         available for use by the Realm.  -->
    <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
           resourceName="UserDatabase" />
  </Realm>

请阅读 org.apache.catalina.realm.RealmBase.java 了解详细信息。

此外，logging.properties 中的以下设置也很有用。

org.apache.catalina.realm.level=ALL
org.apache.catalina.realm.useParentHandlers=true
org.apache.catalina.authenticator.level=ALL
org.apache.catalina.authenticator.useParentHandlers=true

If we are using Tomcat 8.x , as the provided server.xml will come in a nested Realm element, please add 'allRolesMode="authOnly"' in the "outmost" Realm element and change aforementioned web.xml for testing.
e.g.

  <Realm allRolesMode="authOnly" className="org.apache.catalina.realm.LockOutRealm">
    <!-- This Realm uses the UserDatabase configured in the global JNDI
         resources under the key "UserDatabase".  Any edits
         that are performed against this UserDatabase are immediately
         available for use by the Realm.  -->
    <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
           resourceName="UserDatabase" />
  </Realm>

Please read org.apache.catalina.realm.RealmBase.java for details.

Also, following settings in logging.properties are useful.

org.apache.catalina.realm.level=ALL
org.apache.catalina.realm.useParentHandlers=true
org.apache.catalina.authenticator.level=ALL
org.apache.catalina.authenticator.useParentHandlers=true

回复收藏 0 原文

~没有更多了~