Tomcat security constraint for valid user

问题

I'm trying to protect a resource in tomcat so that only "valid users" (those with a valid login and password in the realm) can access it. They do not necessarily belong to a group in the realm. I have tried with many combinations of the <security-constraint> directive without success. Any ideas?

回答1:

Besides the auth-constraint you are adding to the security-constraint:

   <auth-constraint>
       <role-name>*</role-name>
   </auth-constraint>

you need specify the security role in the web-app:

    <security-role>
        <role-name>*</role-name>
    </security-role>

回答2:

There are several realm implementation in tomcat - memory, database, JAAS and more. The easiest one to configure (though not the most secure) the memory one, which contains a single XML file, usually under conf/tomcat-users.xml:

<tomcat-users>
  <user name="tomcat" password="tomcat" roles="tomcat" />
  <user name="role1"  password="tomcat" roles="role1"  />
  <user name="both"   password="tomcat" roles="tomcat,role1" />
</tomcat-users>

The realm configuration is under the context, host or engine configurations, like this:

<Realm className="org.apache.catalina.realm.MemoryRealm"
       pathname="conf/tomcat-users.xml" />

Then, in the web.xml you put the following definition:

    <security-constraint>
            <web-resource-collection>
                    <web-resource-name>MRC Customer Care</web-resource-name>
                    <url-pattern>/protected/*</url-pattern>
            </web-resource-collection>
            <auth-constraint>
                    <role-name>role1</role-name>
            </auth-constraint>
    </security-constraint>

    <!-- Define the Login Configuration for this Application -->
    <login-config>
            <auth-method>DIGEST</auth-method>
            <realm-name>YOUR REALM NAME</realm-name>
    </login-config>

    <security-role>
            <description>
              The role that is required to access the application. 
              Should be on from the realm (the tomcat-users.xml file).
            </description>
            <role-name>role1</role-name>                  
    </security-role>

The web.xml part is taken (with slight change) from one of our web apps.

回答3:

If we are using Tomcat 8.x , as the provided server.xml will come in a nested Realm element, please add 'allRolesMode="authOnly"' in the "outmost" Realm element and change aforementioned web.xml for testing. e.g.

  <Realm allRolesMode="authOnly" className="org.apache.catalina.realm.LockOutRealm">
    <!-- This Realm uses the UserDatabase configured in the global JNDI
         resources under the key "UserDatabase".  Any edits
         that are performed against this UserDatabase are immediately
         available for use by the Realm.  -->
    <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
           resourceName="UserDatabase" />
  </Realm>

Please read org.apache.catalina.realm.RealmBase.java for details.

Also, following settings in logging.properties are useful.

org.apache.catalina.realm.level=ALL
org.apache.catalina.realm.useParentHandlers=true
org.apache.catalina.authenticator.level=ALL
org.apache.catalina.authenticator.useParentHandlers=true

来源：https://stackoverflow.com/questions/1089600/tomcat-security-constraint-for-valid-user

标签

java

Tomcat

web-applications

security-constraint