如何修复对 Tomcat 中已拒绝的所请求资源的访问?

发布于 2024-08-26 10:22:45 字数 930 浏览 10 评论 0原文

我想通过使用数据库作为领域来启用基于表单的身份验证,但每当我尝试在 Tomcat 6 中以 Tomcat 管理员身份进行身份验证时,我总是收到该消息。我已经创建了一个表 user_name 和 user_roles 并将用户名(蓝色)映射到 admin和 manager 作为 mysql 中 user_roles 表中的角色,但我仍然无法进行身份验证。我已经在 server.xml 文件中重新创建了领域标记:

 <Realm className      = "org.apache.catalina.realm.JDBCRealm"
        debug          = "99" 
        driverName     = "com.mysql.jdbc.Driver"
        connectionURL  = "jdbc:mysql://localhost:3306/mail" 
        connectionName = "root" 
        userTable      = "users"
        userNameCol    = "user_name"
        userCredCol    = "user_pass"
        userRoleTable  = "user_roles" 
        roleNameCol    = "role_name" 
 /> 

任何人都可以告诉我我做错了什么,以及如何使用数据库启用基于表单的身份验证?

  1. 我已将用户“blue”声明为管理员和经理,当我尝试登录 tomcat 管理器页面时,它向我显示以下消息:

    <块引用>

    HTTP 状态 403 - 对请求的资源的访问已被拒绝

  2. 当我输入错误的用户名或密码时,tomcat 再次要求输入用户名和密码,而不是显示该消息。

I want to enable form based authentication by using database as realm but I'm always getting that message whenever I try to authenticate as Tomcat manager in Tomcat 6. I have already created a table user_name and user_roles and mapped the username(blue) to admin and manager as role in user_roles table in mysql, but I'm still unable to authenticate. I've already recreated realm tag in server.xml file:

 <Realm className      = "org.apache.catalina.realm.JDBCRealm"
        debug          = "99" 
        driverName     = "com.mysql.jdbc.Driver"
        connectionURL  = "jdbc:mysql://localhost:3306/mail" 
        connectionName = "root" 
        userTable      = "users"
        userNameCol    = "user_name"
        userCredCol    = "user_pass"
        userRoleTable  = "user_roles" 
        roleNameCol    = "role_name" 
 /> 

Could anyone please tell me what's wrong I'm doing, and how I enable form based authentication by using database?

  1. I've declared the user "blue" as both admin and manager, and when I'm trying to login in tomcat manager page, it is giving me the message:

    HTTP Status 403 - Access to the requested resource has been denied

  2. When I enter wrong username or password, tomcat again asks for username and password instead of showing that message.

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(4

怎樣才叫好 2024-09-02 10:22:46

HTTP 状态 403(对所请求资源的访问已被拒绝)可能表示您输入了太多不正确的凭据,或者您的配置存在问题。

一个可能的问题可能是您的浏览器可能会缓存您的身份验证凭据,因为使用 BASIC 身份验证,您的浏览器只会在您第一次对站点进行身份验证时提示您输入凭据。身份验证成功后,不会再次提示您并强制您的浏览器再次提示您,有时您需要完全关闭浏览器(或尝试使用其他网络浏览器)。

如果您没有更改任何配置文件,请检查安装中的文件 conf/tomcat-users.xmllocate tomcat-users.xml)。该文件必须包含允许您使用 Tomcat Web 应用程序的凭据。

例如,要将 manager-gui 角色添加到名为 tomcat 且密码为 s3cret 的用户,请将以下内容添加到上面列出的配置文件中:

<role rolename="manager-gui"/>
<user username="tomcat" password="s3cret" roles="manager-gui"/>

然后您可以访问您的来自 /manager/html 的 webapps 管理器(例如配置更改后重新加载)。

操作方法

了解更多信息:管理器应用程序 尝试实现您自己的安全约束(在 web.xml 中),请尝试以下示例(在 结尾之前添加它):

<!-- This security constraint protects your webapp interface. -->
<login-config>
  <!-- Define the Login Configuration -->
  <auth-method>BASIC</auth-method>
  <realm-name>Webapp</realm-name>
</login-config>
<security-constraint>
  <web-resource-collection>
    <web-resource-name>Admin</web-resource-name>
    <url-pattern>/*</url-pattern>
    <http-method>GET</http-method>
    <http-method>POST</http-method>
  </web-resource-collection>
  <auth-constraint>
    <role-name>*</role-name>
  </auth-constraint>
  <!-- Specifying a Secure Connection -->
  <user-data-constraint>
    <!-- transport-guarantee can be CONFIDENTIAL (forced SSL), INTEGRAL, or NONE -->
    <transport-guarantee>NONE</transport-guarantee>
  </user-data-constraint>
</security-constraint>
<!-- Authorization, see: tomcat-users.xml --> 
<security-role>
  <role-name>*</role-name>
</security-role>

login-config 元素包含 auth-method 元素,它指定我们使用的身份验证方法,即 BASICsecurity-constraint 元素包含 3 个元素:web-resource-collectionauth-constraintuser-data-constraint< /代码>。 Web-resource-collection 指定了我们的应用程序中需要身份验证的部分。 /* 表示整个应用程序需要身份验证。 auth-constraint 指定用户访问受保护资源所需的角色。用户数据约束的传输保证可以是NONECONFIDENTIALINTEGRAL。我们将其设置为NONE,这意味着当您尝试访问受保护的资源时不需要重定向到SSL


还要确保您

<Realm className="org.apache.catalina.realm.MemoryRealm" />

conf/server.xmlEngine 部分)中有一行:。

如果您仍然遇到问题,请尝试:

  • 检查您是否正在编辑正确的 XML 文件,
  • 验证您的 XML 文件,例如 catalina.sh configtestxmlstarlet val /etc/tomcat?/* .xml /var/lib/tomcat7/webapps/*/WEB-INF/*.xml
  • 您的 与您的 匹配; 或设置为 /*
  • 检查 Tomcat 日志(例如 /var/log/tomcat7),
  • 提高中的日志记录级别INFO -> FINE/FINEST) logging.propertieslog4j.properties (INFO、SEVERE、WARNING、INFO、CONFIG、FINE、FINER、FINEST 或 ALL),重新启动 Tomat 并检查日志,
  • 如果日志中没有任何内容,检查您是否检查了正确的日志(sudo lsof | grep -E "java.*(out|txt|log)$"tail -f /var/log/tomcat7/ *.log /var/log/tomcat7/*.txt /var/log/tomcat7/*.out),
  • 使用 log4j 日志系统时,请确保 通过将库和 log4j.properties 放入正确的文件夹并配置它来正确初始化
  • 测试 BASIC 身份验证与卷曲:

    • 没有凭据:

      $curl -vv http://example.com:8983/solr/
      

      通常请求应返回HTTP/1.1 401 Unauthorized,并且“WWW-Authenticate”标头应指示需要基本身份验证。 p>

    • 带有凭据:

      $curl -vv -u tomcat:tomcat http://example.com:8983/solr/
      

      请求应使用“Authorization”标头发送,并且应进行身份验证。如果您的凭据无效,您应该得到:HTTP/1.1 401 Unauthorized。如果用户已通过身份验证,但无权查看资源,您应该得到:HTTP/1.1 403 Forbidden

  • 可能由于失败的身份验证尝试次数过多而激活了用户锁定机制(LockOutRealm),

  • 手动停止并运行 Tomcat(与中的方式相同) : ps wuax | grep ^tomcat),例如:

    <前><代码># ps wuax | grep ^tomcat
    tomcat7 884 /usr/lib/jvm/java-7-openjdk-amd64/bin/java -Djava.util.logging.config.file=/var/lib/tomcat7/conf/logging.properties ... org.apache。 catalina.startup.Bootstrap启动
    $ /etc/init.d/tomcat7 停止
    $ sudo sudo -u tomcat7 /usr/lib/jvm/java-7-openjdk-amd64/bin/java ... -Dorg.apache.catalina.level=FINEST org.apache.catalina.startup.Bootstrap 启动

    或者开始使用 catalina.sh 脚本,例如:

    <前><代码>$ . /etc/默认/tomcat7
    $ 导出 JAVA_HOME=/usr/lib/jvm/java-7-openjdk-amd64 CATALINA_HOME=/usr/share/tomcat7 CATALINA_BASE=/var/lib/tomcat7 CATALINA_PID=/var/run/tomcat7.pid CATALINA_TMPDIR=/tmp LOGGING_CONFIG= “-Dorg.apache.catalina.level=最好的”
    $ /usr/share/tomcat7/bin/catalina.sh 运行

    或者在调试模式

    $ JPDA_SUSPEND=y catalina.sh jpda 启动
    

    并检查您的catalina.out日志。

  • 最后的手段是通过以下方式调试进程:sudo strace -fp PID

HTTP Status 403 (Access to the requested resource has been denied) can indicate that either you typed too many incorrect credentials or you've some problem with your configuration.

One possible issue could be that your browser could have your authentication credentials cached, because with BASIC auth, your browser will only prompt you for credentials the first time you authenticate to your site. After a successful authentication, it will not prompt you again and to force your browser to prompt you again, sometimes you need to completely close out the browser (or try with another web browser).

If you have not changed any configuration files, please examine the file conf/tomcat-users.xml in your installation (locate tomcat-users.xml). That file must contain the credentials to let you use Tomcat webapp.

For example, to add the manager-gui role to a user named tomcat with a password of s3cret, add the following to the config file listed above:

<role rolename="manager-gui"/>
<user username="tomcat" password="s3cret" roles="manager-gui"/>

Then you can access your webapps manager from /manager/html (e.g. reloading after config changes).

Read more: Manager App HOW-TO

If you're trying to implement your own security constraint (in web.xml), try the following example (add it before </web-app> ending):

<!-- This security constraint protects your webapp interface. -->
<login-config>
  <!-- Define the Login Configuration -->
  <auth-method>BASIC</auth-method>
  <realm-name>Webapp</realm-name>
</login-config>
<security-constraint>
  <web-resource-collection>
    <web-resource-name>Admin</web-resource-name>
    <url-pattern>/*</url-pattern>
    <http-method>GET</http-method>
    <http-method>POST</http-method>
  </web-resource-collection>
  <auth-constraint>
    <role-name>*</role-name>
  </auth-constraint>
  <!-- Specifying a Secure Connection -->
  <user-data-constraint>
    <!-- transport-guarantee can be CONFIDENTIAL (forced SSL), INTEGRAL, or NONE -->
    <transport-guarantee>NONE</transport-guarantee>
  </user-data-constraint>
</security-constraint>
<!-- Authorization, see: tomcat-users.xml --> 
<security-role>
  <role-name>*</role-name>
</security-role>

The login-config element contains the auth-method element, which specifies the authentication method that we use, which is BASIC. The security-constraint element contains 3 elements: web-resource-collection, auth-constraint, and user-data-constraint. The web-resource-collection specifies the parts of our application that require authentication. The /* indicates that the whole application requires authentication. The auth-constraint specifies the role that a user needs to have in order to access the protected resources. The user-data-constraint's transport-guarantee can be NONE, CONFIDENTIAL or INTEGRAL. We set it to NONE, which means that redirecting to SSL is not required when you try to hit the protected resource.

Also make sure that you've line:

<Realm className="org.apache.catalina.realm.MemoryRealm" />

inside your conf/server.xml (Engine section).

If you still having the problem, try:

  • check if you're editing the right XML file,
  • validate your XML files, e.g. catalina.sh configtest or xmlstarlet val /etc/tomcat?/*.xml /var/lib/tomcat7/webapps/*/WEB-INF/*.xml,
  • your <url-pattern> matches in your <security-constraint> or set to /*,
  • check your Tomcat logs (e.g. /var/log/tomcat7),
  • increase logging level (INFO -> FINE/FINEST) in logging.properties or log4j.properties (INFO, SEVERE, WARNING, INFO, CONFIG, FINE, FINER, FINEST or ALL), restart Tomat and check the logs,
  • if nothing in logs, check if you're checking the right logs (sudo lsof | grep -E "java.*(out|txt|log)$", tail -f /var/log/tomcat7/*.log /var/log/tomcat7/*.txt /var/log/tomcat7/*.out),
  • when using log4j logging system, make sure you initialized it properly by placing libs and log4j.properties into the right folder and configuring it,
  • test BASIC authentication with cURL:

    • without credentials:

      $ curl -vv http://example.com:8983/solr/
      

      Normally request should return HTTP/1.1 401 Unauthorized and the "WWW-Authenticate" header should indicate Basic authentication is required.

    • with credentials:

      $ curl -vv -u tomcat:tomcat http://example.com:8983/solr/
      

      The request should be sent with an "Authorization" header and it should authenticate. If your credentials are invalid, you should get: HTTP/1.1 401 Unauthorized. If the user is authenticated, but does not have access to view the resource you should get: HTTP/1.1 403 Forbidden.

  • maybe a user lock out mechanism has been activated for too many failed authentication attempts (LockOutRealm),

  • stop and run Tomcat manually (in the same way as in: ps wuax | grep ^tomcat), e.g.:

    # ps wuax | grep ^tomcat
    tomcat7    884  /usr/lib/jvm/java-7-openjdk-amd64/bin/java -Djava.util.logging.config.file=/var/lib/tomcat7/conf/logging.properties ... org.apache.catalina.startup.Bootstrap start
    $ /etc/init.d/tomcat7 stop
    $ sudo sudo -u tomcat7 /usr/lib/jvm/java-7-openjdk-amd64/bin/java ...  -Dorg.apache.catalina.level=FINEST org.apache.catalina.startup.Bootstrap start
    

    Alternatively start using catalina.sh script like:

    $ . /etc/default/tomcat7
    $ export JAVA_HOME=/usr/lib/jvm/java-7-openjdk-amd64 CATALINA_HOME=/usr/share/tomcat7 CATALINA_BASE=/var/lib/tomcat7 CATALINA_PID=/var/run/tomcat7.pid CATALINA_TMPDIR=/tmp LOGGING_CONFIG="-Dorg.apache.catalina.level=FINEST"
    $ /usr/share/tomcat7/bin/catalina.sh run
    

    Or in debug mode:

    $ JPDA_SUSPEND=y catalina.sh jpda start
    

    and check your catalina.out log.

  • last resort is to debug process by: sudo strace -fp PID.

弱骨蛰伏 2024-09-02 10:22:46

您需要定义另一个名为“tomcat”的用户角色,并使用户“blue”成为该组的成员。

您可以在 web.xml 文件中更改此约束所需的角色组名称:

<auth-constraint>
    <role-name>tomcat</role-name>
</auth-constraint>

You need to define another user role named 'tomcat' and make user 'blue' a member of this group.

You can change the name of role group needed by this constraint in web.xml file:

<auth-constraint>
    <role-name>tomcat</role-name>
</auth-constraint>
兔小萌 2024-09-02 10:22:46

当我使用 BASIC 身份验证时,我收到了相同的错误“HTTP 状态 403 - 对请求的资源的访问已被拒绝”,而不是弹出窗口。我使用了自定义角色(我的名字),但它不起作用。因此,我将角色设置为(manager-gui)并为其分配用户名和密码。设置后我得到了所需的结果。使用 manager-gui 作为角色,然后重试。

I got the same error "HTTP Status 403 - Access to the requested resource has been denied", ,instead of pop-up window ,when i used BASIC authentication .I had used my customize role(myname) but it didn't worked. So , i set role to (manager-gui) and assigned username and password to it. After setting it i got required result. Use manager-gui as a role and then try again.

烟酉 2024-09-02 10:22:45

我自己没试过这个。您可以尝试更改 TOMCAT_HOME_DIR\webapps\manager\WEB-INF\web.xml 中的身份验证方法,将身份验证方法设置为 FORM。领域名称并不重要。

<login-config>   <auth-method>FORM</auth-method>   <realm-name>Tomcat Manager Application</realm-name> </login-config>

另外只需确认 - 您必须在 server.xml 中仅保留一个 Realm,注释掉默认的 Realm。

I havent tried this myself. Can you try changing the auth-method in the TOMCAT_HOME_DIR\webapps\manager\WEB-INF\web.xml to point the auth-method set to FORM. The realm-name does not matter.

<login-config>   <auth-method>FORM</auth-method>   <realm-name>Tomcat Manager Application</realm-name> </login-config>

Also just confirm - you'll have to keep only one Realm in the server.xml, comment out the default one.

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文