当前位置: 文江博客话题详情

Tomcat:绕过指定 IP 地址的基本身份验证

发布于 2024-12-07 14:21:09 字数 1033 浏览 0 评论 0原文

我已经配置 tomcat 进行基本身份验证。 我不希望任何人访问我的 Web 应用程序,但该应用程序正在提供 Web 服务。 所以我想从基本身份验证中绕过特定的IP地址。(该IP不应该需要身份验证。)

tomcat-users.xml:

<tomcat-users>
<user username="user" password="password" roles="user"/>
</tomcat-users>

web.xml:

<security-constraint>
<web-resource-collection>
  <web-resource-name>Entire Application</web-resource-name>
  <url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
  <role-name>user</role-name>
</auth-constraint>
</security-constraint>


<login-config>
  <auth-method>BASIC</auth-method>
  <realm-name>You must enter your login credentials to continue</realm-name>
</login-config>

<security-role>
   <description>
      The role that is required to log in to the Application
   </description>
   <role-name>user</role-name>
</security-role>

谢谢, 切坦。

原文

I have configured tomcat for basic authentication.
I do not want anyone to have access to my web application but the app is serving web services.
So I want to bypass a specific ip address from basic authentication.( that ip should not require authentication.)

tomcat-users.xml :

<tomcat-users>
<user username="user" password="password" roles="user"/>
</tomcat-users>

web.xml :

<security-constraint>
<web-resource-collection>
  <web-resource-name>Entire Application</web-resource-name>
  <url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
  <role-name>user</role-name>
</auth-constraint>
</security-constraint>


<login-config>
  <auth-method>BASIC</auth-method>
  <realm-name>You must enter your login credentials to continue</realm-name>
</login-config>

<security-role>
   <description>
      The role that is required to log in to the Application
   </description>
   <role-name>user</role-name>
</security-role>

Thanks,
Chetan.

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(1

翻了热茶 2024-12-14 14:21:09

如果您只想允许几个 IP 地址并禁止其他所有人,则 远程地址过滤阀正是您所需要的。

如果您希望来自未知 IP 地址的客户端看到基本登录对话框并可以登录,您需要一个自定义 阀门RemoteAddrValve (它的父类 RequestFilterValve 是一个很好的起点。看看我以前的答案也是

。 ,下面是一个概念验证代码,如果客户端来自受信任的 IP,它会将填充的 Principal 放入 Request 中。因此登录模块不会询问密码,否则它不会触及 Request 对象,用户可以照常登录。

import java.io.IOException;
import java.security.Principal;
import java.util.ArrayList;
import java.util.List;

import javax.servlet.ServletException;

import org.apache.catalina.connector.Request;
import org.apache.catalina.connector.Response;
import org.apache.catalina.realm.GenericPrincipal;
import org.apache.catalina.valves.ValveBase;

public class AutoLoginValve extends ValveBase {

    private String trustedIpAddress;

    public AutoLoginValve() {
    }

    @Override
    public void invoke(final Request request, final Response response) 
             throws IOException, ServletException {
        final String remoteAddr = request.getRemoteAddr();
        final boolean isTrustedIp = remoteAddr.equals(trustedIpAddress);
        System.out.println("remoteAddr: " + remoteAddr + ", trusted ip: " 
                + trustedIpAddress + ", isTrustedIp: " + isTrustedIp);
        if (isTrustedIp) {
            final String username = "myTrusedUser";
            final String credentials = "credentials";
            final List<String> roles = new ArrayList<String>();
            roles.add("user");
            roles.add("admin");

            final Principal principal = new GenericPrincipal(username, 
                credentials, roles);
            request.setUserPrincipal(principal);
        }

        getNext().invoke(request, response);
    }

    public void setTrustedIpAddress(final String trustedIpAddress) {
        System.out.println("setTrusedIpAddress " + trustedIpAddress);
        this.trustedIpAddress = trustedIpAddress;
    }

}

以及 server.xml 的配置示例:

<Valve className="autologinvalve.AutoLoginValve" 
    trustedIpAddress="127.0.0.1" />

If you would like to allow just only a few IP addresses and disallow everybody else the Remote Address Filter Valve is what you need.

If you want that the clients from unknown IP addresses see the basic login dialog and could login you need a custom Valve. The source of the RemoteAddrValve (and it's parent class RequestFilterValve is a good starting point. Take a look my former answer too.

Anyway, below is a proof of concept code. It puts a filled Principal to the Request if the client is coming from a trusted IP so the login module will not ask for the password. Otherwise it does not touch the Request object and the user can log in as usual.

import java.io.IOException;
import java.security.Principal;
import java.util.ArrayList;
import java.util.List;

import javax.servlet.ServletException;

import org.apache.catalina.connector.Request;
import org.apache.catalina.connector.Response;
import org.apache.catalina.realm.GenericPrincipal;
import org.apache.catalina.valves.ValveBase;

public class AutoLoginValve extends ValveBase {

    private String trustedIpAddress;

    public AutoLoginValve() {
    }

    @Override
    public void invoke(final Request request, final Response response) 
             throws IOException, ServletException {
        final String remoteAddr = request.getRemoteAddr();
        final boolean isTrustedIp = remoteAddr.equals(trustedIpAddress);
        System.out.println("remoteAddr: " + remoteAddr + ", trusted ip: " 
                + trustedIpAddress + ", isTrustedIp: " + isTrustedIp);
        if (isTrustedIp) {
            final String username = "myTrusedUser";
            final String credentials = "credentials";
            final List<String> roles = new ArrayList<String>();
            roles.add("user");
            roles.add("admin");

            final Principal principal = new GenericPrincipal(username, 
                credentials, roles);
            request.setUserPrincipal(principal);
        }

        getNext().invoke(request, response);
    }

    public void setTrustedIpAddress(final String trustedIpAddress) {
        System.out.println("setTrusedIpAddress " + trustedIpAddress);
        this.trustedIpAddress = trustedIpAddress;
    }

}

And a config example for the server.xml:

<Valve className="autologinvalve.AutoLoginValve" 
    trustedIpAddress="127.0.0.1" />
回复 原文
~没有更多了~

关于作者

挥剑断情

暂无简介

0 文章
0 评论
24 人气
发私信

相关话题

更多

热门标签

操作系统 程序设计 IT运维 Linux系统管理 JavaScript 服务器应用 solaris C/C++ PHP Shell BSD Vue.js aix Oracle Python HTML 系统管理 HTML5 CSS 前端
更多

推荐作者

娇女薄笑

文章 0 评论 0

biaggi

文章 0 评论 0

xiaolangfanhua

文章 0 评论 0

rivulet

文章 0 评论 0

我三岁

文章 0 评论 0

薆情海

文章 0 评论 0

更多

友情链接

文江博客
    我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
    原文