安全 – tomcat 7基于表单的身份验证

给出一个Servlet HelloServlet:

@WebServlet("/HelloServlet")
public class HelloServlet extends HttpServlet {
    private static final long serialVersionUID = 1L;

    /**
     * Default constructor.
     */
    public HelloServlet() {
    // TODO Auto-generated constructor stub
    }


   @Override
    protected void doGet(HttpServletRequest request,
        HttpServletResponse response) throws ServletException, IOException {
    // TODO Auto-generated method stub
    System.out.print("hello my Friend: " + request.getRemoteUser());
    response.setContentType("text/html");
    PrintWriter out = response.getWriter();
    out.println("This is the Test Servlet");

    Enumeration headerNames = request.getHeaderNames();
    while (headerNames.hasMoreElements()) {
        String headerName = (String) headerNames.nextElement();
        out.print("<br/>Header Name: <em>" + headerName);
        String headerValue = request.getHeader(headerName);
        out.print("</em>, Header Value: <em>" + headerValue);
        out.println("</em>");
    }
    }
....
}

在web.xml中使用声明的tomcat安全策略:

<security-constraint>
    <web-resource-collection>
        <web-resource-name>my application</web-resource-name>
        <url-pattern>/*</url-pattern>
        <http-method>GET</http-method>
        <http-method>POST</http-method>
    </web-resource-collection>

    <auth-constraint>
        <role-name>tomcat</role-name>
    </auth-constraint>
</security-constraint>
<login-config>
    <auth-method>FORM</auth-method>
    <form-login-config>
        <form-login-page>/login.jsp</form-login-page>
        <form-error-page>/login-failed.jsp</form-error-page>
    </form-login-config>
</login-config>

和conf / tomcat-users.xml中的tomcat-roles定义

  <role rolename="tomcat"/>
  <role rolename="role1"/>
  <user username="tomcat" password="tomcat" roles="tomcat"/>
  <user username="both" password="tomcat" roles="tomcat,role1"/>
  <user username="role1" password="tomcat" roles="role1"/>

“server.xml”中的领域是:

  <Realm className="org.apache.catalina.realm.LockOutRealm">
    <!-- This Realm uses the UserDatabase configured in the global JNDI
         resources under the key "UserDatabase".  Any edits
         that are performed against this UserDatabase are immediately
         available for use by the Realm.  -->
    <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
           resourceName="UserDatabase"/>
  </Realm>

,我尝试使用url localhost / jsfWorkgroup / HelloServlet访问Servlet“HelloServlet”.

像预期的那样,我被(重新)定向到登录页面:

<form method="POST" action="j_security_check">
<table>
  <tr>
    <td colspan="2">Login to the Tomcat-Demo application:</td>
  </tr>
  <tr>
    <td>Name:</td>
    <td><input type="text" name="j_username" /></td>
  </tr>
  <tr>
    <td>Password:</td>
    <td><input type="password" name="j_password"/ ></td>
  </tr>
  <tr>
    <td colspan="2"><input type="submit" value="Go" /></td>
  </tr>
</table>
</form>

无论我使用哪个id-Token:

>用户名:tomcat passwort:tomcat
> username:passwort:tomcat

我仍然遇到故障/login-failed.jsp.

这是我对此的看法:tomcat的行为是将我重定向到登录页面,但是没有读取conf / tomcat-users.xml以使我的登录有效(即使在几次重启之后).

你怎么看待这件事 ?

配置:Tomcat 7.0.23,Eclipse-Indigo

最佳答案
按照@ pd40的提议,我尝试了示例/ jsp / security / protected / examples,但没有在Eclipse IDE中,其中Tomcat通常与其他服务器(Glassfish,JBoss等)一起嵌入,而是我启动了tomcat服务器作为独立的(在其/ bin目录中)..并且它在那里工作.

但是当它试图在Eclipse中的Tomcat中运行基于安全性的Web应用程序时,它再次失败,即使使用上述配置也是如此.

我不知道我是不是正确但是只有当tomcat在eclipse之外运行时才支持Web应用程序安全性.

转载注明原文:安全 – tomcat 7基于表单的身份验证 - 代码日志