Java Servlet - isUserInRole()
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/24302667/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Servlet - isUserInRole()
提问by Hubert
Spec:
规格:
Servlet: 3.0
Java: 7
Tomcat: 7.0.54
小服务程序:3.0
Java:7
Tomcat:7.0.54
Intro:
介绍:
It is possible to check programatically if user has a specific role using method HttpServletRequest.isUserInRole()
可以使用方法HttpServletRequest.isUserInRole()以编程方式检查用户是否具有特定角色
For example:
例如:
public void doGet(HttpServletRequest request, HttpServletResponse response)
throws IOException, ServletException{
String username = null;
String password = null;
//get username and password manually from Authorization header
//...
request.login(username, password);
if (request.isUserInRole("boss")) {
//do something
} else {
//do something else
}
request.logout();
}
This works fine, but this solution requires to manually retrieve username and password from Authorization header and then login using these credentials.
这工作正常,但此解决方案需要从 Authorization 标头中手动检索用户名和密码,然后使用这些凭据登录。
Questions:
问题:
Is it possible to just do something like that? With no retrieving data from header and manually login()?
有可能做这样的事情吗?没有从标题中检索数据并手动登录()?
public void doGet(HttpServletRequest request, HttpServletResponse response)
throws IOException, ServletException{
if (request.isUserInRole("boss")) {
//do something
} else {
//do something else
}
}
Trying to answer myself:
试图回答自己:
From my understanding this code requires proper configuration in web.xml. This example works with this configuration in web.xml file, for example:
根据我的理解,这段代码需要在 web.xml 中正确配置。此示例适用于 web.xml 文件中的此配置,例如:
<web-app ...>
...
<security-constraint>
<web-resource-collection>
<url-pattern>/HelloWorld</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>boss</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>DefaultRealm</realm-name>
</login-config>
</web-app>
But this means that programatically checking roles is not required since configuration in web.xml it is all we need to restrict access.
但这意味着不需要以编程方式检查角色,因为 web.xml 中的配置是我们限制访问所需的全部内容。
Summary:
概括:
- is it possible to programatically checking roles without specifing restrictions (auth-constraint) in web.xml?
- if not, does this mean, that using isCallerInRole()performing only checking for additional roles, becouse main required role is specified in web.xml?
- 是否可以在不指定 web.xml 中的限制(auth-constraint)的情况下以编程方式检查角色?
- 如果不是,这是否意味着使用isCallerInRole()只检查其他角色,因为在 web.xml 中指定了主要的必需角色?
Thanks.
谢谢。
Edit 1:
Since the first answer suggest adding login-configelement to my web.xml, I must say I already have it. I added this to code snippet, as I didn't include it when posting question. And example works with this configuration. But when I remove auth-constraintor the whole security-constraint, presence of login-configis not enought.
I added info about container: Tomcat 7.0.54.
编辑 1:
由于第一个答案建议将login-config元素添加到我的 web.xml,我必须说我已经有了它。我将此添加到代码片段中,因为我在发布问题时没有包含它。示例适用于此配置。但是当我删除auth-constraint或整个security-constraint 时,存在login-config是不够的。我添加了有关容器的信息:Tomcat 7.0.54。
回答by win_wave
Here is the answer for your issue, if you are using Basic authentication, add this:
这是您问题的答案,如果您使用的是基本身份验证,请添加以下内容:
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>ourRealm</realm-name>
</login-config>
回答by Bruno Grieder
The basic authorization mechanism provided by servlets in web.xml is basic and mostly 'hard-coded'
web.xml 中的 servlet 提供的基本授权机制是基本的,并且大多是“硬编码”的
If you want to implement a more elaborate way of checking user roles/authorizations, you need to secure your servlets then you have a few possibilities:
如果您想实现一种更精细的检查用户角色/授权的方法,您需要保护您的 servlet,那么您有几种可能性:
回答by Hubert
Question1:
问题1:
Is it possible to programatically checking roles without specifing restrictions (auth-constraint) in web.xml?
是否可以在不指定 web.xml 中的限制(auth-constraint)的情况下以编程方式检查角色?
Answer:
回答:
Yes, it is possible. There is no need to specify restrictions in web.xml. There is no need to put scurity-contraintin web.xml.
对的,这是可能的。无需在 web.xml 中指定限制。无需在 web.xml 中放置scurity-contraint。
In addition there is no need to manually retrieve credentials from header Authorizationand then manually login().
此外,无需从标头Authorization手动检索凭据,然后手动login()。
Solution:
解决方案:
Here is a working example:
这是一个工作示例:
public void doGet(HttpServletRequest request, HttpServletResponse response)
throws IOException, ServletException{
request.authenticate(response); //solution
if (request.isUserInRole("boss")) {
//do something
} else {
//do something else
}
}
web.xml:
网页.xml:
<web-app ...>
...
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>DefaultRealm</realm-name>
</login-config>
</web-app>
And that works.
这有效。
As you see method HttpServletRequest.authenticate()is used nad does the trick. Documentation says:
如您所见,使用HttpServletRequest.authenticate()方法可以解决问题。文档说:
Triggers the same authentication process as would be triggered if the request is for a resource that is protected by a security constraint.
如果请求是针对受安全约束保护的资源,则触发相同的身份验证过程。
That is all we need. I hope it helps someone in the future.
这就是我们所需要的。我希望它可以帮助将来的某个人。
