如何修复对 Tomcat 中已拒绝的所请求资源的访问?
我想通过使用数据库作为领域来启用基于表单的身份验证,但每当我尝试在 Tomcat 6 中以 Tomcat 管理员身份进行身份验证时,我总是收到该消息。我已经创建了一个表 user_name 和 user_roles 并将用户名(蓝色)映射到 admin和 manager 作为 mysql 中 user_roles 表中的角色,但我仍然无法进行身份验证。我已经在 server.xml 文件中重新创建了领域标记:
<Realm className = "org.apache.catalina.realm.JDBCRealm"
debug = "99"
driverName = "com.mysql.jdbc.Driver"
connectionURL = "jdbc:mysql://localhost:3306/mail"
connectionName = "root"
userTable = "users"
userNameCol = "user_name"
userCredCol = "user_pass"
userRoleTable = "user_roles"
roleNameCol = "role_name"
/>
任何人都可以告诉我我做错了什么,以及如何使用数据库启用基于表单的身份验证?
我已将用户“blue”声明为管理员和经理,当我尝试登录 tomcat 管理器页面时,它向我显示以下消息:
<块引用>HTTP 状态 403 - 对请求的资源的访问已被拒绝
当我输入错误的用户名或密码时,tomcat 再次要求输入用户名和密码,而不是显示该消息。
I want to enable form based authentication by using database as realm but I'm always getting that message whenever I try to authenticate as Tomcat manager in Tomcat 6. I have already created a table user_name and user_roles and mapped the username(blue) to admin and manager as role in user_roles table in mysql, but I'm still unable to authenticate. I've already recreated realm tag in server.xml file:
<Realm className = "org.apache.catalina.realm.JDBCRealm"
debug = "99"
driverName = "com.mysql.jdbc.Driver"
connectionURL = "jdbc:mysql://localhost:3306/mail"
connectionName = "root"
userTable = "users"
userNameCol = "user_name"
userCredCol = "user_pass"
userRoleTable = "user_roles"
roleNameCol = "role_name"
/>
Could anyone please tell me what's wrong I'm doing, and how I enable form based authentication by using database?
I've declared the user "blue" as both admin and manager, and when I'm trying to login in tomcat manager page, it is giving me the message:
HTTP Status 403 - Access to the requested resource has been denied
When I enter wrong username or password, tomcat again asks for username and password instead of showing that message.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(4)
HTTP 状态 403(对所请求资源的访问已被拒绝)可能表示您输入了太多不正确的凭据,或者您的配置存在问题。
一个可能的问题可能是您的浏览器可能会缓存您的身份验证凭据,因为使用 BASIC 身份验证,您的浏览器只会在您第一次对站点进行身份验证时提示您输入凭据。身份验证成功后,不会再次提示您并强制您的浏览器再次提示您,有时您需要完全关闭浏览器(或尝试使用其他网络浏览器)。
如果您没有更改任何配置文件,请检查安装中的文件
conf/tomcat-users.xml(locate tomcat-users.xml)。该文件必须包含允许您使用 Tomcat Web 应用程序的凭据。例如,要将 manager-gui 角色添加到名为
tomcat且密码为s3cret的用户,请将以下内容添加到上面列出的配置文件中:然后您可以访问您的来自
/manager/html的 webapps 管理器(例如配置更改后重新加载)。操作方法
了解更多信息:管理器应用程序 尝试实现您自己的安全约束(在
web.xml中),请尝试以下示例(在结尾之前添加它):还要确保您
的
conf/server.xml(Engine部分)中有一行:。如果您仍然遇到问题,请尝试:
catalina.sh configtest或xmlstarlet val /etc/tomcat?/* .xml /var/lib/tomcat7/webapps/*/WEB-INF/*.xml,匹配; /*,/var/log/tomcat7),中的日志记录级别(或INFO->FINE/FINEST) logging.propertieslog4j.properties(INFO、SEVERE、WARNING、INFO、CONFIG、FINE、FINER、FINEST 或 ALL),重新启动 Tomat 并检查日志,sudo lsof | grep -E "java.*(out|txt|log)$"、tail -f /var/log/tomcat7/ *.log /var/log/tomcat7/*.txt /var/log/tomcat7/*.out),log4j日志系统时,请确保 通过将库和log4j.properties放入正确的文件夹并配置它来正确初始化,测试 BASIC 身份验证与卷曲:
没有凭据:
通常请求应返回HTTP/1.1 401 Unauthorized,并且“WWW-Authenticate”标头应指示需要基本身份验证。 p>
带有凭据:
请求应使用“Authorization”标头发送,并且应进行身份验证。如果您的凭据无效,您应该得到:HTTP/1.1 401 Unauthorized。如果用户已通过身份验证,但无权查看资源,您应该得到:HTTP/1.1 403 Forbidden。
可能由于失败的身份验证尝试次数过多而激活了用户锁定机制(LockOutRealm),
手动停止并运行 Tomcat(与中的方式相同) :
ps wuax | grep ^tomcat),例如:<前><代码># ps wuax | grep ^tomcat
tomcat7 884 /usr/lib/jvm/java-7-openjdk-amd64/bin/java -Djava.util.logging.config.file=/var/lib/tomcat7/conf/logging.properties ... org.apache。 catalina.startup.Bootstrap启动
$ /etc/init.d/tomcat7 停止
$ sudo sudo -u tomcat7 /usr/lib/jvm/java-7-openjdk-amd64/bin/java ... -Dorg.apache.catalina.level=FINEST org.apache.catalina.startup.Bootstrap 启动
或者开始使用
catalina.sh脚本,例如:<前><代码>$ . /etc/默认/tomcat7
$ 导出 JAVA_HOME=/usr/lib/jvm/java-7-openjdk-amd64 CATALINA_HOME=/usr/share/tomcat7 CATALINA_BASE=/var/lib/tomcat7 CATALINA_PID=/var/run/tomcat7.pid CATALINA_TMPDIR=/tmp LOGGING_CONFIG= “-Dorg.apache.catalina.level=最好的”
$ /usr/share/tomcat7/bin/catalina.sh 运行
或者在调试模式:
并检查您的
catalina.out日志。最后的手段是通过以下方式调试进程:
sudo strace -fp PID。HTTP Status 403 (Access to the requested resource has been denied) can indicate that either you typed too many incorrect credentials or you've some problem with your configuration.
One possible issue could be that your browser could have your authentication credentials cached, because with BASIC auth, your browser will only prompt you for credentials the first time you authenticate to your site. After a successful authentication, it will not prompt you again and to force your browser to prompt you again, sometimes you need to completely close out the browser (or try with another web browser).
If you have not changed any configuration files, please examine the file
conf/tomcat-users.xmlin your installation (locate tomcat-users.xml). That file must contain the credentials to let you use Tomcat webapp.For example, to add the manager-gui role to a user named
tomcatwith a password ofs3cret, add the following to the config file listed above:Then you can access your webapps manager from
/manager/html(e.g. reloading after config changes).Read more: Manager App HOW-TO
If you're trying to implement your own security constraint (in
web.xml), try the following example (add it before</web-app>ending):Also make sure that you've line:
inside your
conf/server.xml(Enginesection).If you still having the problem, try:
catalina.sh configtestorxmlstarlet val /etc/tomcat?/*.xml /var/lib/tomcat7/webapps/*/WEB-INF/*.xml,<url-pattern>matches in your<security-constraint>or set to/*,/var/log/tomcat7),INFO->FINE/FINEST) inlogging.propertiesorlog4j.properties(INFO, SEVERE, WARNING, INFO, CONFIG, FINE, FINER, FINEST or ALL), restart Tomat and check the logs,sudo lsof | grep -E "java.*(out|txt|log)$",tail -f /var/log/tomcat7/*.log /var/log/tomcat7/*.txt /var/log/tomcat7/*.out),log4jlogging system, make sure you initialized it properly by placing libs andlog4j.propertiesinto the right folder and configuring it,test BASIC authentication with cURL:
without credentials:
Normally request should return HTTP/1.1 401 Unauthorized and the "WWW-Authenticate" header should indicate Basic authentication is required.
with credentials:
The request should be sent with an "Authorization" header and it should authenticate. If your credentials are invalid, you should get: HTTP/1.1 401 Unauthorized. If the user is authenticated, but does not have access to view the resource you should get: HTTP/1.1 403 Forbidden.
maybe a user lock out mechanism has been activated for too many failed authentication attempts (LockOutRealm),
stop and run Tomcat manually (in the same way as in:
ps wuax | grep ^tomcat), e.g.:Alternatively start using
catalina.shscript like:Or in debug mode:
and check your
catalina.outlog.last resort is to debug process by:
sudo strace -fp PID.您需要定义另一个名为“tomcat”的用户角色,并使用户“blue”成为该组的成员。
您可以在 web.xml 文件中更改此约束所需的角色组名称:
You need to define another user role named 'tomcat' and make user 'blue' a member of this group.
You can change the name of role group needed by this constraint in web.xml file:
当我使用 BASIC 身份验证时,我收到了相同的错误“HTTP 状态 403 - 对请求的资源的访问已被拒绝”,而不是弹出窗口。我使用了自定义角色(我的名字),但它不起作用。因此,我将角色设置为(manager-gui)并为其分配用户名和密码。设置后我得到了所需的结果。使用 manager-gui 作为角色,然后重试。
I got the same error "HTTP Status 403 - Access to the requested resource has been denied", ,instead of pop-up window ,when i used BASIC authentication .I had used my customize role(myname) but it didn't worked. So , i set role to (manager-gui) and assigned username and password to it. After setting it i got required result. Use manager-gui as a role and then try again.
我自己没试过这个。您可以尝试更改 TOMCAT_HOME_DIR\webapps\manager\WEB-INF\web.xml 中的身份验证方法,将身份验证方法设置为 FORM。领域名称并不重要。
另外只需确认 - 您必须在 server.xml 中仅保留一个 Realm,注释掉默认的 Realm。
I havent tried this myself. Can you try changing the auth-method in the
TOMCAT_HOME_DIR\webapps\manager\WEB-INF\web.xmlto point the auth-method set to FORM. The realm-name does not matter.Also just confirm - you'll have to keep only one Realm in the server.xml, comment out the default one.