Tomcat容器安全管理:用户验证

内容概要:

当访问web应用中的受保护资源时候,容器可以提供相应的用户验证。

  • BASIC
  • FORM
  • DIGEST
  • CLIENT-CERT

    1.Tomcat的基本配置

    1.1 Realm:

    A Realm is a “database” of usernames and passwords that identify valid users of a web application (or set of web applications), plus an enumeration of the list of roles associated with each valid user.
    安全领域(realm):就servlet规范来说,realm就是存储认证信息(比如用户名和密码)的地方。
    Tomcat定义了一个Java接口(org.apache.catalina.Realm),提供6种标准插件,支持与各种验证信息源的连接:

  • JDBCRealm
  • DataSourceRealm
  • JNDIRealm
  • UserDatabaseRealm
  • MemoryRealm
  • JAASRealm
    1.2 Tomcat配置

    首先配置/usr/local/apache-tomcat/conf/tomcat-users.xml,在其中定义role和username:

    1
    2
    3
    4
    5
    6
    7
    8
    <role rolename="Admin"/>
    <role rolename="Member"/>
    <role rolename="Guest"/>
      
      
    <user username ="jay" password="tom123456" roles="Admin,Member,Guest"/>
    <user username="hust" password="tom123456" roles="Member,Guest"/>
    <user username="ball" password="tom123456" roles="Guest"/>
1.3 web应用配置:在应用的web.xml文件中启用认证
1
2
3
4
5
6
7
8
9
10
11
<web-app>
	<login-config>
	<!--这里有四种方式: BASIC, FORM, DIGEST, CLINET-CERT-->     
       		<auth-method>FORM</auth-method>
			<form-login-config>
				<form-login-page>/log/login.html</form-login-page>
				<form-error-page>/log/loginerr.html</form-error-page>
			</form-login-config>
		<!-- realm-name>UserDatabase</realm-name -->
	</login-config>
</web-app>
1.4 web应用配置: 在web.xml中建立与容器的role映射
1
2
3
4
5
6
7
8
9
10
11
12
<web-app>
	<!--建立与容器的role映射-->
	<security-role>
		<role-name>Admin</role-name>
	</security-role>
	<security-role>
		<role-name>Member</role-name>
	</security-role>
	<security-role>
		<role-name>Guest</role-name>
	</security-role>
</web-app>
1.5 web应用配置:在web.xml中建立资源与方法的约束
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
<web-app>
	<security-constraint>
		<web-resource-collection>
			<web-resource-name>beer app</web-resource-name>
			<url-pattern>/selection</url-pattern>
			<url-pattern>/listen</url-pattern>
			<url-pattern>/down</url-pattern>
			<http-method>GET</http-method>
			<http-method>POST</http-method>
		</web-resource-collection>
		<auth-constraint>
			<role-name>Admin</role-name>
			<role-name>Member</role-name>
			<role-name>Guest</role-name>
		</auth-constraint>
		<!-- user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> 
			</user-data-constraint -->
	</security-constraint>
</web-app>

最终得到的配置文件web.xml如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118

<?xml version="1.0" encoding="UTF-8"?>
<web-app version="3.0" xmlns="http://java.sun.com/xml/ns/javaee"
	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
	xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd">
	<display-name>Servlet Web Application</display-name>

	<!-- 设置servlet及其映射 -->
	<servlet>
		<servlet-name>beerSelect</servlet-name>
		<servlet-class>com.head.first.servlet.BeerSelect</servlet-class>
	</servlet>
	<servlet-mapping>
		<servlet-name>beerSelect</servlet-name>
		<url-pattern>/selection</url-pattern>
	</servlet-mapping>


	<servlet>
		<servlet-name>download</servlet-name>
		<servlet-class>com.head.first.servlet.DownloadServlet</servlet-class>
		<!-- ServletConfig参数 -->
		<init-param>
			<param-name>email</param-name>
			<param-value>24zhangjie@gmail.com</param-value>
		</init-param>
	</servlet>
	<servlet-mapping>
		<servlet-name>download</servlet-name>
		<url-pattern>/down</url-pattern>
	</servlet-mapping>


	<servlet>
		<servlet-name>liste</servlet-name>
		<servlet-class>com.head.first.servlet.listener.ListenerServlet</servlet-class>
	</servlet>
	<servlet-mapping>
		<servlet-name>liste</servlet-name>
		<url-pattern>/listen</url-pattern>
	</servlet-mapping>

	<!-- 设置jsp servlet -->
	<servlet>
		<servlet-name>res</servlet-name>
		<jsp-file>/jsps/jspServlet.jsp</jsp-file>
		<init-param>
			<param-name>username</param-name>
			<param-value>KobeBryant</param-value>
		</init-param>
	</servlet>
	<servlet-mapping>
		<servlet-name>res</servlet-name>
		<url-pattern>/jspServlet</url-pattern>
	</servlet-mapping>



	<!-- 设置整个web应用的context参数 -->
	<context-param>
		<param-name>email</param-name>
		<param-value>24zhangjie@gmail.com</param-value>
	</context-param>
	<context-param>
		<param-name>breed</param-name>
		<param-value>Dog'sBreed</param-value>
	</context-param>


	<!-- 设置servletContextListener -->
	<listener>
		<listener-class>
			com.head.first.servlet.listener.MyServletContextListener</listener-class>
	</listener>


	<!-- 安全 -->

	<security-role>
		<role-name>Admin</role-name>
	</security-role>
	<security-role>
		<role-name>Member</role-name>
	</security-role>
	<security-role>
		<role-name>Guest</role-name>
	</security-role>

	<security-constraint>
		<web-resource-collection>
			<web-resource-name>beer</web-resource-name>
			<url-pattern>/selection</url-pattern>
			<url-pattern>/listen</url-pattern>
			<url-pattern>/down</url-pattern>
			<http-method>GET</http-method>
			<http-method>POST</http-method>
		</web-resource-collection>
		<auth-constraint>
			<role-name>Admin</role-name>
			<role-name>Member</role-name>
			<role-name>Guest</role-name>
		</auth-constraint>
		<!-- user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> 
			</user-data-constraint -->
	</security-constraint>


	<login-config>
		<auth-method>FORM</auth-method>
		<form-login-config>
			<form-login-page>/log/login.html</form-login-page>
			<form-error-page>/log/loginerr.html</form-error-page>
		</form-login-config>
		<!-- realm-name>UserDatabase</realm-name -->

	</login-config>

</web-app>

2. BASIC认证

3. FORM认证

4. DIGEST认证

5. CLIENT-CERT认证