当我添加了Tomcat资源链接后 <ResourceLink name="UserDatabase" global="UserDatabase" type="org.apache.catalina.UserDatabase"/> 我的身份验证被破坏了,我可以登录并进行REST CALL,从Tomcat-users.xml中得到所有的用户。我可以登录,然后做一个REST CALL,从tomcat-users.xml中获取所有用户。然后,我只是重新加载页面,有一个403 - Forbidden错误。 我有两个Web应用程序。一个是REST API,从数据库中获取数据(后端),另一个Web应用是数据库的管理(前端)。所以我为我的前端应用添加了一个FORM认证,为我的后端添加了一个BASIC认证。用户存储在tomcat-users.xml文件中-> 一切都很好,现在我想用前端后端程序化地编辑tomcat-users,我发现这个 如何以编程方式将用户添加到Tomcat UserDatabaseRealm? 我将链接中的代码添加到我的REST API中,然后调用URL apiadmintomcat用户 我得到了所有的用户和用户角色。但是在这个页面上调用了一次之后,我总是得到一个403--Forbidden错误! 如果我不做REST CALL或者直接删除ResourceLink,问题就不会发生。
(看汤姆猫日志的最后两排。为什么他第一次找到了角色,第二次却没有找到呢?)
在我第一次调用页面时成功登录后的日志。
[http-nio-8080-exec-8] org.apache.catalina.authenticator.AuthenticatorBase.invoke Security checking request GET /es_admin/admin/setting.jsp
[http-nio-8080-exec-8] org.apache.catalina.authenticator.AuthenticatorBase.invoke We have cached auth type FORM for principal GenericPrincipal[admin(CR8000,SOLIDWORKS,admin,)]
[http-nio-8080-exec-8] org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking constraint 'SecurityConstraint[Adminstrative Pages]' against GET /admin/setting.jsp --> true
[http-nio-8080-exec-8] org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking constraint 'SecurityConstraint[User Pages]' against GET /admin/setting.jsp --> false
[http-nio-8080-exec-8] org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking constraint 'SecurityConstraint[Adminstrative Pages]' against GET /admin/setting.jsp --> true
[http-nio-8080-exec-8] org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking constraint 'SecurityConstraint[User Pages]' against GET /admin/setting.jsp --> false
[http-nio-8080-exec-8] org.apache.catalina.authenticator.AuthenticatorBase.invoke Calling hasUserDataPermission()
[http-nio-8080-exec-8] org.apache.catalina.realm.RealmBase.hasUserDataPermission User data constraint has no restrictions
[http-nio-8080-exec-8] org.apache.catalina.authenticator.AuthenticatorBase.invoke Calling authenticate()
[http-nio-8080-exec-8] org.apache.catalina.authenticator.AuthenticatorBase.checkForCachedAuthentication Bereits authentifiziert [admin]
[http-nio-8080-exec-8] org.apache.catalina.authenticator.AuthenticatorBase.invoke Calling accessControl()
[http-nio-8080-exec-8] org.apache.catalina.realm.RealmBase.hasResourcePermission Checking roles GenericPrincipal[admin(CR8000,SOLIDWORKS,admin,)]
[http-nio-8080-exec-8] org.apache.catalina.realm.RealmBase.hasResourcePermission Role found: admin
[http-nio-8080-exec-8] org.apache.catalina.authenticator.AuthenticatorBase.invoke Successfully passed all security constraints
在我重新加载页面或直接切换到另一个页面后的日志。
[http-nio-8080-exec-15] org.apache.catalina.authenticator.AuthenticatorBase.invoke Security checking request GET /es_admin/admin/setting.jsp
[http-nio-8080-exec-15] org.apache.catalina.authenticator.AuthenticatorBase.invoke We have cached auth type FORM for principal GenericPrincipal[admin(CR8000,SOLIDWORKS,admin,)]
[http-nio-8080-exec-15] org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking constraint 'SecurityConstraint[User Pages]' against GET /admin/setting.jsp --> false
[http-nio-8080-exec-15] org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking constraint 'SecurityConstraint[Adminstrative Pages]' against GET /admin/setting.jsp --> true
[http-nio-8080-exec-15] org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking constraint 'SecurityConstraint[User Pages]' against GET /admin/setting.jsp --> false
[http-nio-8080-exec-15] org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking constraint 'SecurityConstraint[Adminstrative Pages]' against GET /admin/setting.jsp --> true
[http-nio-8080-exec-15] org.apache.catalina.authenticator.AuthenticatorBase.invoke Calling hasUserDataPermission()
[http-nio-8080-exec-15] org.apache.catalina.realm.RealmBase.hasUserDataPermission User data constraint has no restrictions
[http-nio-8080-exec-15] org.apache.catalina.authenticator.AuthenticatorBase.invoke Calling authenticate()
[http-nio-8080-exec-15] org.apache.catalina.authenticator.AuthenticatorBase.checkForCachedAuthentication Bereits authentifiziert [admin]
[http-nio-8080-exec-15] org.apache.catalina.authenticator.AuthenticatorBase.invoke Calling accessControl()
[http-nio-8080-exec-15] org.apache.catalina.realm.RealmBase.hasResourcePermission Checking roles GenericPrincipal[admin(CR8000,SOLIDWORKS,admin,)]
[http-nio-8080-exec-15] org.apache.catalina.realm.RealmBase.hasResourcePermission No role found: admin
[http-nio-8080-exec-15] org.apache.catalina.authenticator.AuthenticatorBase.invoke Failed accessControl() test
<!DOCTYPE web-app PUBLIC
"-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN"
"http://java.sun.com/dtd/web-app_2_3.dtd" >
<web-app>
<display-name>frontend</display-name>
<welcome-file-list>
<welcome-file>login.jsp</welcome-file>
</welcome-file-list>
<!--Defines Security Constraint -->
<security-constraint>
<display-name>frontend admin</display-name>
<web-resource-collection>
<web-resource-name>Adminstrative Pages</web-resource-name>
<description/>
<url-pattern>/admin/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<description/>
<role-name>admin</role-name>
</auth-constraint>
</security-constraint>
<security-constraint>
<display-name>frontend user</display-name>
<web-resource-collection>
<web-resource-name>User Pages</web-resource-name>
<description/>
<url-pattern>/user/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<description/>
<role-name>SOLIDWORKS</role-name>
</auth-constraint>
<auth-constraint>
<description/>
<role-name>CR8000</role-name>
</auth-constraint>
</security-constraint>
<!--Defines Login Config -->
<login-config>
<auth-method>FORM</auth-method>
<realm-name>file</realm-name>
<form-login-config>
<form-login-page>/login.jsp</form-login-page>
<form-error-page>/error.jsp</form-error-page>
</form-login-config>
</login-config>
<!--Defines Security Role -->
<security-role>
<description/>
<role-name>admin</role-name>
</security-role>
<security-role>
<description/>
<role-name>SOLIDWORKS</role-name>
</security-role>
<security-role>
<description/>
<role-name>CR8000</role-name>
</security-role>
</web-app>
<Context>
<!-- Default set of monitored resources. If one of these changes, the -->
<!-- web application will be reloaded. -->
<WatchedResource>WEB-INF/web.xml</WatchedResource>
<WatchedResource>WEB-INF/tomcat-web.xml</WatchedResource>
<WatchedResource>${catalina.base}/conf/web.xml</WatchedResource>
<ResourceLink name="UserDatabase" global="UserDatabase" type="org.apache.catalina.UserDatabase" />
</Context>
<?xml version="1.0" encoding="UTF-8"?>
<tomcat-users xmlns="http://tomcat.apache.org/xml"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://tomcat.apache.org/xml tomcat-users.xsd"
version="1.0">
<role rolename="admin"/>
<role rolename="CR8000"/>
<role rolename="SOLIDWORKS"/>
<user username="admin" password="password" roles="admin,CR8000,SOLIDWORKS"/>
<user username="testSolid" password="password" roles="SOLIDWORKS"/>
<user username="testZuken" password="password" roles="CR8000"/>
</tomcat-users>
<Realm className="org.apache.catalina.realm.LockOutRealm">
<Realm className="org.apache.catalina.realm.UserDatabaseRealm" resourceName="UserDatabase"/>
</Realm>
@GET
@Path("/tomcat/user")
@Produces(MediaType.APPLICATION_JSON)
public ArrayList<TomcatUser> getTomcatUser() {
getLogWriter().writeLog("GET call on /tomcat/user");
ArrayList<TomcatUser> tomcatUsers = new ArrayList<TomcatUser>();
try {
UserDatabase ud = (UserDatabase) new InitialContext().lookup("java:comp/env/UserDatabase");
ud.open();
Iterator<org.apache.catalina.User> iteratorUsers = ud.getUsers();
while (iteratorUsers.hasNext()) {
org.apache.catalina.User user = iteratorUsers.next();
TomcatUser tmpTomcatUser = new TomcatUser();
String username = user.getUsername();
Iterator<Role> iteratorRoles = user.getRoles();
ArrayList<Role> roles = new ArrayList<Role>();
// Change from Iterator to ArrayList
iteratorRoles.forEachRemaining(roles::add);
ArrayList<String> strRoles = new ArrayList<String>();
for (int x = 0; x < roles.size(); x++) {
strRoles.add(roles.get(x).getRolename());
}
tmpTomcatUser.setUsername(username);
tmpTomcatUser.setRoles(strRoles);
tomcatUsers.add(tmpTomcatUser);
tmpTomcatUser = null;
}
ud.close();
} catch (Exception e) {
e.printStackTrace();
}
return tomcatUsers;
}
这看起来像 roles 的问题。你可以使用下面的配置来允许所有角色。
<role-name>*</role-name>
根据问题的默认值,Tomcat-user.xml文件在Basic认证下工作正常。你在使用下面的配置后面临角色问题。how to programmatically add users to tomcat UserDatabaseRealm?. 是真的吗?如果是,那么我认为你还需要通过编程来传递角色。
我在我的servlet中发现了两个问题来解决这个问题。
.open() 从我 UserDatabaseTomcatUser 对象。为了返回一个字符串,我用Gson将我的Object格式化为JSON字符串。所以这就是我的最后一个servlet方法。
@GET
@Path("/tomcat/user")
@Produces(MediaType.APPLICATION_JSON)
public String getTomcatUser() {
getLogWriter().writeLog("GET call on /tomcat/user");
ArrayList<TomcatUser> tomcatUsers = new ArrayList<TomcatUser>();
try {
UserDatabase ud = (UserDatabase) new InitialContext().lookup("java:comp/env/UserDatabase");
Iterator<org.apache.catalina.User> iteratorUsers = ud.getUsers();
while (iteratorUsers.hasNext()) {
org.apache.catalina.User user = iteratorUsers.next();
System.out.println(user.getUsername());
TomcatUser tmpTomcatUser = new TomcatUser();
String username = user.getUsername();
Iterator<Role> iteratorRoles = user.getRoles();
ArrayList<String> strRoles = new ArrayList<String>();
while (iteratorRoles.hasNext()) {
Role role = iteratorRoles.next();
strRoles.add(role.getRolename());
}
tmpTomcatUser.setUsername(username);
tmpTomcatUser.setRoles(strRoles);
tomcatUsers.add(tmpTomcatUser);
tmpTomcatUser = null;
}
} catch (Exception e) {
e.printStackTrace();
}
return new Gson().toJson(tomcatUsers);
}