在 Tomcat 中设置 HTTP 基本认证的示例
- 在 $TOMCAT_HOMEconf omcat-users.xml 文件中配置角色和用户:
<tomcat-users> <role rolename="all"/> <role rolename="admin"/> <user username="all" password="all" roles="all"/> <user username="admin" password="admin" roles="admin,all"/> </tomcat-users>
- 新建一个 Java Web 工程,编辑 web.xml 文件。
- 配置 <security-constraint/> 元素,指定角色可访问的资源集和可使用的 HTTP 方法。
<security-constraint> <web-resource-collection> <web-resource-name>Public resources</web-resource-name> <url-pattern>/home/*</url-pattern> <http-method>HEAD</http-method> <http-method>GET</http-method> </web-resource-collection> <auth-constraint> <role-name>all</role-name> </auth-constraint> </security-constraint> <security-constraint> <web-resource-collection> <web-resource-name>Secret resources</web-resource-name> <url-pattern>/blog/*</url-pattern> <url-pattern>/photo/*</url-pattern> <http-method>HEAD</http-method> <http-method>GET</http-method> <http-method>POST</http-method> <http-method>PUT</http-method> </web-resource-collection> <auth-constraint> <role-name>admin</role-name> </auth-constraint> </security-constraint>
- 配置 <login-config/> 元素,指定认证方式为基本认证,并指定安全域。
<login-config> <auth-method>BASIC</auth-method> <realm-name>hueyhome</realm-name> </login-config>
测试:
a) 无认证信息请求
C:Usershuey>curl -I http://localhost:8080/helloweb/home/index.html HTTP/1.1 401 Unauthorized Server: Apache-Coyote/1.1 Pragma: No-cache Cache-Control: no-cache Expires: Thu, 01 Jan 1970 08:00:00 CST WWW-Authenticate: Basic realm="hueyhome" Content-Type: text/html;charset=utf-8 Content-Length: 951 Date: Mon, 18 May 2015 14:10:55 GMT
b) 错误认证信息请求
C:Usershuey>curl -I -u "all:none" http://localhost:8080/helloweb/home/index.html HTTP/1.1 401 Unauthorized Server: Apache-Coyote/1.1 Pragma: No-cache Cache-Control: no-cache Expires: Thu, 01 Jan 1970 08:00:00 CST WWW-Authenticate: Basic realm="hueyhome" Content-Type: text/html;charset=utf-8 Content-Length: 951 Date: Mon, 18 May 2015 14:19:01 GMT
c) 正确认证信息但该用户无指定资源的访问权限
C:Usershuey>curl -I -u "all:all" http://localhost:8080/helloweb/blog/index.html HTTP/1.1 403 Forbidden Server: Apache-Coyote/1.1 Pragma: No-cache Cache-Control: no-cache Expires: Thu, 01 Jan 1970 08:00:00 CST Content-Type: text/html;charset=utf-8 Content-Length: 1057 Date: Mon, 18 May 2015 14:11:57 GMT
d) 正确认证信息且该用户无指定资源的访问权限
C:Usershuey>curl -I -u "all:all" http://localhost:8080/helloweb/home/index.html HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Pragma: No-cache Cache-Control: no-cache Expires: Thu, 01 Jan 1970 08:00:00 CST Accept-Ranges: bytes ETag: W/"317-1431758220112" Last-Modified: Sat, 16 May 2015 06:37:00 GMT Content-Type: text/html Content-Length: 317 Date: Mon, 18 May 2015 14:11:04 GMT