Tomcat 7 - 多个安全约束不起作用
运行 Tomcat 7,我尝试在 Tomcat 服务器上配置 /conf/web.xml,以通过基本身份验证保护某些 URL,并提供其他一些 URL 供公共访问。
tomcat-users.xml 包含以下角色和用户:
<role rolename="test-ui"/>
<user username="paul" password="password" roles="test-ui"/>
我已将以下部分添加到 Tomcats /conf/web.xml
<security-constraint>
<web-resource-collection>
<web-resource-name>Public access</web-resource-name>
<url-pattern>/docs/*</url-pattern>
</web-resource-collection>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>Protected access</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>test-ui</role-name>
</auth-constraint>
</security-constraint>
<security-role>
<description>Protected access</description>
<role-name>test-ui</role-name>
</security-role>
<login-config>
<auth-method>BASIC</auth-method>
</login-config>
所以有两个“security-constraint”元素,公共元素不包含“auth-constraint”,这实际上意味着,不需要进行身份验证。
当我打开网址时 http://localhost:8080
Tomcat 要求身份验证。 这很好,但是当我打开 URL 时 http://localhost:8080/docs/
Tomcat 还要求进行身份验证,据我了解,这被配置为“非安全”URL - 因此可以公开访问,但它的行为并非如此。
我的配置出了什么问题,还是这个场景不应该这样工作?
谢谢。 保罗
Running Tomcat 7, I am trying to configure the /conf/web.xml on the Tomcat server to secure some URLs with basic authentication and to provide some other URLs for public access.
The tomcat-users.xml contains following role and user:
<role rolename="test-ui"/>
<user username="paul" password="password" roles="test-ui"/>
I have added the following section to Tomcats /conf/web.xml
<security-constraint>
<web-resource-collection>
<web-resource-name>Public access</web-resource-name>
<url-pattern>/docs/*</url-pattern>
</web-resource-collection>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>Protected access</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>test-ui</role-name>
</auth-constraint>
</security-constraint>
<security-role>
<description>Protected access</description>
<role-name>test-ui</role-name>
</security-role>
<login-config>
<auth-method>BASIC</auth-method>
</login-config>
So there are two 'security-constraint' elements, the public one does not contain the 'auth-constraint', which actually should mean, there is no authentication necessary.
When I open the URL
http://localhost:8080
Tomcat asks for authentication.
This is fine, however when I open the URL
http://localhost:8080/docs/
Tomcat also asks for authentication and for my understanding this is configured as a "non secure" URL - so public acccess, but it does not behave like this.
What did I wrong in the configuration or is this scenario not supposed to work like this?
Thanks.
Paul
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
您需要中的节点,即使它是空的,例如;
You need the <auth-constraint> node in the <security-constraint>, even it is empty e.g. <auth-constraint/>
如果不存在安全约束,容器必须允许对这些 URL 进行未经身份验证的访问。安全约束是可选的。
If an security-constraint does not exists, the Container MUST allow unauthenticated access for these URL. security-constraint is optional.