java 如何在 WebSphere 上使用基本身份验证?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/6306997/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
How do I get basic authentication working on WebSphere?
提问by ZKSteffel
Okay, so I've been running a Java/Jersey webservice on Tomcat with basic authentication which works perfectly fine. I've got permissions set up in the web.xml file of my project, and users set up in tomcat-users.xml on the server. Works great.
Problem is, now I have to transfer this project to WebSphere, which has nowhere near as simple of an implementation of basic authentication.
好的,所以我一直在使用基本身份验证在 Tomcat 上运行 Java/Jersey 网络服务,它工作得非常好。我已经在我的项目的 web.xml 文件中设置了权限,并且在服务器上的 tomcat-users.xml 中设置了用户。效果很好。
问题是,现在我必须将这个项目转移到 WebSphere,它远没有实现基本身份验证那么简单。
I've seen this question: Websphere 6.1 and BASIC Authenticationand looked at Chapter 7 of thispdf like suggested, but I can't seem to find the right settings (I have no option labeled 'enable global security' like most methods use), and am trying to run my project, while the pdf is extremely project specific.
我看过这个问题:Websphere 6.1 and BASIC Authentication并按照建议查看了这个pdf 的第 7 章,但我似乎找不到正确的设置(我没有像大多数方法使用的那样标记为“启用全局安全性”的选项) ,并且我正在尝试运行我的项目,而 pdf 是非常特定于项目的。
So to ask my question clearly, what is the easiest way to enable basic authentication on WebSphere 6.1?
所以要清楚地问我的问题,在 WebSphere 6.1 上启用基本身份验证的最简单方法是什么?
回答by Gurnard
After writing all this below I remember I have blogged about this for myself here:
在写完所有这些之后,我记得我在这里为自己写了一篇博客:
WebSphere 6.1 and Application Authentication
As I understand you have setup your web.xml correctly thus:
据我了解,您已经正确设置了 web.xml:
<security-role>
<role-name>myrole</role-name>
</security-role>
<security-constraint>
<web-resource-collection>
<web-resource-name>mySec</web-resource-name>
<url-pattern>/yourUrl</url-pattern>
<http-method>DELETE</http-method>
<http-method>GET</http-method>
<http-method>POST</http-method>
<http-method>PUT</http-method>
<http-method>HEAD</http-method>
<http-method>TRACE</http-method>
<http-method>OPTIONS</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>myrole</role-name>
</auth-constraint>
<user-data-constraint>
<description>SSL or MSSL not required</description>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>my login</realm-name>
</login-config>
This is if you are using the administration console you dont state that you are not so go to the console:
这是如果您使用的是管理控制台,则不要声明您不是那么转到控制台:
http://localhost:9060/ibm/console
Then login (if you have administrative security setup)
然后登录(如果您有管理安全设置)
Then go here
然后去这里
- left hand panel click Security
- Secure administration, applications, and infrastructure
- There is then a section on the page Application security
- Check the box Enable application security
- click apply, then save to master config.
- 左侧面板单击安全
- 安全的管理、应用程序和基础架构
- 然后在页面应用程序安全上有一个部分
- 选中启用应用程序安全性框
- 单击应用,然后保存到主配置。
Then you have application security turned on. Now you need to map the users of your application to users within websphere.
然后您打开了应用程序安全性。现在您需要将应用程序的用户映射到 websphere 中的用户。
Go here
到这里
- List item
- Applications > Enterprise Applications
- Click your application
- Under the Detailed Properties section you will see a link Security role to user/group mapping
you will only see this link if your web.xml is setup correctly - click the Security role to user/group mapping
- Select the roles you wish to use for authentication
- Click look up users or look up groups
- click search and select users (that are setup in your websphere under Users and Groups menu
- use the arrows to move the selected users/groups to the right hand box
- click ok and save to master configuration.
- restart your server.
- 项目清单
- 应用程序 > 企业应用程序
- 单击您的应用程序
- 在“详细属性”部分下,您将看到一个指向用户/组映射的安全角色
链接,如果您的 web.xml 设置正确,您只会看到此链接 - 单击安全角色到用户/组映射
- 选择您希望用于身份验证的角色
- 单击查找用户或查找组
- 单击搜索并选择用户(在用户和组菜单下的 websphere 中设置)
- 使用箭头将选定的用户/组移动到右侧框
- 单击确定并保存到主配置。
- 重新启动您的服务器。
Administration security (security of Websphere itself) must be turned on for it to work.
必须打开管理安全性(Websphere 本身的安全性)才能工作。
WebSphere can be complex but it is powerful and capable.
WebSphere 可能很复杂,但它功能强大且功能强大。
回答by Jeff Williams
You shouldn't list http-methods. Doing so means that the security-constraint ONLY applies to those methods and can be bypassed with so-called "extension" methods, like the JEFF method. Just remove them and the constraint will apply to everything. There's a paper on http verb tampering at https://www.aspectsecurity.com/research/aspsec_presentations/download-bypassing-web-authentication-and-authorization-with-http-verb-tampering/
您不应该列出 http 方法。这样做意味着安全约束仅适用于这些方法,并且可以通过所谓的“扩展”方法(如 JEFF 方法)绕过。只需删除它们,约束将适用于所有内容。在https://www.aspectsecurity.com/research/aspsec_presentations/download-bypassing-web-authentication-and-authorization-with-http-verb-tampering/上有一篇关于 http 动词篡改的论文
