java 有效用户的 Tomcat 安全约束
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/1089600/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Tomcat security constraint for valid user
提问by Ricardo Marimon
I'm trying to protect a resource in tomcat so that only "valid users" (those with a valid login and password in the realm) can access it. They do not necessarily belong to a group in the realm. I have tried with many combinations of the <security-constraint>directive without success. Any ideas?
我正在尝试保护 tomcat 中的资源,以便只有“有效用户”(在领域中具有有效登录名和密码的用户)才能访问它。他们不一定属于领域中的某个群体。我尝试了许多<security-constraint>指令组合但没有成功。有任何想法吗?
回答by Eliecer Leiton
Besides the auth-constraint you are adding to the security-constraint:
除了 auth-constraint 您要添加到 security-constraint 之外:
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
you need specify the security role in the web-app:
您需要在 web-app 中指定安全角色:
<security-role>
<role-name>*</role-name>
</security-role>
回答by David Rabinowitz
There are several realm implementation in tomcat - memory, database, JAAS and more. The easiest one to configure (though not the most secure) the memory one, which contains a single XML file, usually under conf/tomcat-users.xml:
tomcat 中有几个领域的实现——内存、数据库、JAAS 等等。最容易配置的(虽然不是最安全的)内存,它包含一个 XML 文件,通常在 conf/tomcat-users.xml 下:
<tomcat-users>
<user name="tomcat" password="tomcat" roles="tomcat" />
<user name="role1" password="tomcat" roles="role1" />
<user name="both" password="tomcat" roles="tomcat,role1" />
</tomcat-users>
The realm configuration is under the context, host or engine configurations, like this:
领域配置在上下文、主机或引擎配置下,如下所示:
<Realm className="org.apache.catalina.realm.MemoryRealm"
pathname="conf/tomcat-users.xml" />
Then, in the web.xml you put the following definition:
然后,在 web.xml 中放置以下定义:
<security-constraint>
<web-resource-collection>
<web-resource-name>MRC Customer Care</web-resource-name>
<url-pattern>/protected/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>role1</role-name>
</auth-constraint>
</security-constraint>
<!-- Define the Login Configuration for this Application -->
<login-config>
<auth-method>DIGEST</auth-method>
<realm-name>YOUR REALM NAME</realm-name>
</login-config>
<security-role>
<description>
The role that is required to access the application.
Should be on from the realm (the tomcat-users.xml file).
</description>
<role-name>role1</role-name>
</security-role>
The web.xml part is taken (with slight change) from one of our web apps.
web.xml 部分取自我们的一个 Web 应用程序(略有改动)。
回答by WENPIN
If we are using Tomcat 8.x , as the provided server.xml will come in a nested Realm element, please add 'allRolesMode="authOnly"' in the "outmost" Realm element and change aforementioned web.xml for testing. e.g.
如果我们使用的是 Tomcat 8.x ,由于提供的 server.xml 将出现在嵌套的 Realm 元素中,请在“最外层”的 Realm 元素中添加 'allRolesMode="authOnly"' 并更改上述 web.xml 以进行测试。例如
<Realm allRolesMode="authOnly" className="org.apache.catalina.realm.LockOutRealm">
<!-- This Realm uses the UserDatabase configured in the global JNDI
resources under the key "UserDatabase". Any edits
that are performed against this UserDatabase are immediately
available for use by the Realm. -->
<Realm className="org.apache.catalina.realm.UserDatabaseRealm"
resourceName="UserDatabase" />
</Realm>
Please read org.apache.catalina.realm.RealmBase.java for details.
详情请阅读 org.apache.catalina.realm.RealmBase.java。
Also, following settings in logging.properties are useful.
此外,logging.properties 中的以下设置很有用。
org.apache.catalina.realm.level=ALL
org.apache.catalina.realm.useParentHandlers=true
org.apache.catalina.authenticator.level=ALL
org.apache.catalina.authenticator.useParentHandlers=true
