一尘不染

tomcat 7基于表单的身份验证

tomcat

给定一个Servlet HelloServlet:

@WebServlet("/HelloServlet")
public class HelloServlet extends HttpServlet {
    private static final long serialVersionUID = 1L;

    /**
     * Default constructor.
     */
    public HelloServlet() {
    // TODO Auto-generated constructor stub
    }


   @Override
    protected void doGet(HttpServletRequest request,
        HttpServletResponse response) throws ServletException, IOException {
    // TODO Auto-generated method stub
    System.out.print("hello my Friend: " + request.getRemoteUser());
    response.setContentType("text/html");
    PrintWriter out = response.getWriter();
    out.println("This is the Test Servlet");

    Enumeration headerNames = request.getHeaderNames();
    while (headerNames.hasMoreElements()) {
        String headerName = (String) headerNames.nextElement();
        out.print("<br/>Header Name: <em>" + headerName);
        String headerValue = request.getHeader(headerName);
        out.print("</em>, Header Value: <em>" + headerValue);
        out.println("</em>");
    }
    }
....
}

在web.xml中具有声明的tomcat安全策略:

<security-constraint>
    <web-resource-collection>
        <web-resource-name>my application</web-resource-name>
        <url-pattern>/*</url-pattern>
        <http-method>GET</http-method>
        <http-method>POST</http-method>
    </web-resource-collection>

    <auth-constraint>
        <role-name>tomcat</role-name>
    </auth-constraint>
</security-constraint>
<login-config>
    <auth-method>FORM</auth-method>
    <form-login-config>
        <form-login-page>/login.jsp</form-login-page>
        <form-error-page>/login-failed.jsp</form-error-page>
    </form-login-config>
</login-config>

和conf / tomcat-users.xml中的tomcat-roles定义

  <role rolename="tomcat"/>
  <role rolename="role1"/>
  <user username="tomcat" password="tomcat" roles="tomcat"/>
  <user username="both" password="tomcat" roles="tomcat,role1"/>
  <user username="role1" password="tomcat" roles="role1"/>

“ server.xml”中的领域是:

  <Realm className="org.apache.catalina.realm.LockOutRealm">
    <!-- This Realm uses the UserDatabase configured in the global JNDI
         resources under the key "UserDatabase".  Any edits
         that are performed against this UserDatabase are immediately
         available for use by the Realm.  -->
    <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
           resourceName="UserDatabase"/>
  </Realm>

,我尝试使用url localhost / jsfWorkgroup / HelloServlet访问Servlet“ HelloServlet”。

如预期的那样,我被(重定向)到登录页面:

<form method="POST" action="j_security_check">
<table>
  <tr>
    <td colspan="2">Login to the Tomcat-Demo application:</td>
  </tr>
  <tr>
    <td>Name:</td>
    <td><input type="text" name="j_username" /></td>
  </tr>
  <tr>
    <td>Password:</td>
    <td><input type="password" name="j_password"/ ></td>
  </tr>
  <tr>
    <td colspan="2"><input type="submit" value="Go" /></td>
  </tr>
</table>
</form>

无论我使用哪个id-Token:

  1. 用户名:tomcat密码:tomcat
  2. 用户名:passwort:tomcat

我仍然遇到失败/login-failed.jsp。

这是我的看法:tomcat的作用是将我重定向到登录页面,但没有读取conf / tomcat-users.xml来使我的登录有效(即使在多次重启后)。

你怎么看待这件事 ?

配置:Tomcat 7.0.23,Eclipse-Indigo


阅读 291

收藏
2020-06-16

共1个答案

一尘不染

在提出@ pd40命题之后,我尝试了examples / jsp / security / protected
/示例,但没有在通常与其他服务器(Glassfish,JBoss等)一起嵌入Tomcat的Eclipse
IDE中尝试,而是启动了tomcat服务器作为独立的(在其/ bin目录中)..并可以正常工作。

但是,当尝试在Eclipse的Tomcat中运行基于安全性的Web应用程序时,即使使用上述配置,它也再次失败。

我不知道我是否正确,但是仅当tomcat在eclipse之外运行时才支持Web应用程序安全性。

2020-06-16