3

更新:当<auth-constraint>元素被完全删除时,代码可以正常工作。谁能解释为什么它在存在时不起作用?

我正在编写一些代码来练习在部署描述符中保护 servlet,并且在浏览器中得到以下信息:

HTTP Status 403 - Access to the requested resource has been denied
type Status report
message Access to the requested resource has been denied
description Access to the specified resource has been forbidden.
Apache Tomcat/7.0.42

关于我做错了什么有什么想法吗?我已经对以前的帖子进行了一些搜索,似乎 Tomcat 7 中的角色名称可能已经更新 - 我已经玩过这个,但到目前为止还没有成功。(下面的代码)。

web.xml

<?xml version="1.0" ?>
<web-app version="2.4" xmlns="http://java.sun.com/xml/ns/j2ee" 
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee    
http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd">

<servlet>
    <servlet-name>CheckedServlet</servlet-name>
    <servlet-class>webcert.ch05.ex0502J.CheckedServlet</servlet-class>
    <security-role-ref>
        <role-name>MGR</role-name>
        <role-link>manager</role-link>
    </security-role-ref>
</servlet>
<servlet-mapping>
    <servlet-name>CheckedServlet</servlet-name>
    <url-pattern>/CheckedServlet</url-pattern>
</servlet-mapping>
<security-constraint>
    <web-resource-collection>
        <web-resource-name>CheckedServletConstraint</web-resource-name>
        <url-pattern>/CheckedServlet</url-pattern>
    </web-resource-collection>
    <auth-constraint>
        <role-name>*</role-name>
    </auth-constraint>
</security-constraint>
<security-role>
    <role-name>manager</role-name>
</security-role>

CheckedServlet.java

package webcert.ch05.ex0502J;
import java.io.*;
import javax.servlet.*;
import javax.servlet.http.*;
import java.security.*;

public class CheckedServlet extends HttpServlet{

protected void doPost(HttpServletRequest request, HttpServletResponse response) 
        throws ServletException, IOException {
    doGet(request, response);
}
protected void doGet(HttpServletRequest request, HttpServletResponse response)
        throws ServletException, IOException{

    response.setContentType("text/html");
    PrintWriter out = response.getWriter();
    out.write("<html><head><title>CheckedServlet</title></head><body>");

    String userMessage;
    Principal user = request.getUserPrincipal();
    if(user == null)
        userMessage = "Access denied.";
    else
        userMessage = "Access granted.";

    out.write("<br>" + userMessage + " Principal name is " + user +
              "<br>If authorized, you should see some more text below:");

    if(request.isUserInRole("manager"))
        out.write("<br>Here's some super secret extra text since your " +
                "role is manager.");

    out.write("</body></html>");
    out.flush();
    out.close();
}
}
4

3 回答 3

4

If you enable security for you web application (as you have done by adding the <security-constraint> clause to web.xml), you also need to define corresponding users/roles/passwords in tomcat-user.xml. This file is usually located in the conf folder of the tomcat installation. Here are the sample lines that you can add to your installation's tomcat-user.xml file:

<role rolename="MGR"/>  
<user password="mypassword" roles="MGR" username="user1"/>
<user password="mypassword2" roles="MGR" username="user2"/>

Now, when you access your application, instead of getting the status 403 error message, your application will instead prompt you to enter a userid / password using HTTP Basic Auth. You should then be able to successfully login if you use one of the above userids.

于 2014-10-09T17:37:51.713 回答
2

您需要在 web.xml 中添加以下内容:

<login-config>
  <auth-method>BASIC</auth-method>
</login-config>

然后您还可以编辑您的tomcat-user.xml以添加角色和用户名。在这些之后重新部署应用程序,这个问题应该消失了。

于 2015-03-23T14:44:11.793 回答
0

其他成员的两句话是正确的。总结添加角色的要点,登录配置和tomcat的相应用户配置,您可以看一下这篇文章:

如何修复 Tomcat HTTP 状态 403:访问请求的资源已被拒绝?

于 2016-04-14T07:06:32.877 回答