为Tomcat 9创建自定义HTTP身份验证器
[英]Create Custom HTTP Authenticator for Tomcat 9
问题描述
I need to integrate IBM Security Access Manger with Tomcat 9 to authenticate users. 
我需要将IBM Security Access Manger与Tomcat 9集成在一起以对用户进行身份验证。 I have a properly configured Webseal (junction) for the IBM SAM part. 我为IBM SAM部件配置了正确的Webseal(连接)。 It takes the user's credentials, authenticates again the SAM server, and then if successful redirects to Tomcat while passing the headers iv-user , iv-group , and iv-creds . 它获取用户的凭据,再次验证SAM服务器,然后在成功传递标题iv-user , iv-group和iv-creds同时重定向到Tomcat。 I now need to write a custom Tomcat Valve to implement the authentication and allow access to apps based on the user's group. 现在,我需要编写一个自定义Tomcat Valve来实现身份验证,并允许基于用户组访问应用程序。 What would be the best way to go about doing this? 这样做的最佳方法是什么?
My current idea is to extend the org.apache.catalina.valves.AuthenticatorBase so that I can use the following setup in the web.xml of my application: 我当前的想法是扩展org.apache.catalina.valves.AuthenticatorBase以便可以在应用程序的web.xml中使用以下设置:
<security-constraint>
<web-resource-collection>
<web-resource-name>Application</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>POST</http-method>
<http-method>GET</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>MyRoleName</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
</login-config>
The headers from the Webseal can be parsed and used to generate a org.apache.catalina.realm.GenericPrincipal and then used to authenticate into a role added to the given realm (or written into tomcat-users.xml ). 可以解析来自Webseal的标头,并将其用于生成org.apache.catalina.realm.GenericPrincipal ,然后用于对添加到给定领域的角色进行身份验证(或写入tomcat-users.xml )。
I'm a bit shaky onto how to actually implement this authentication, so any help no matter how basic would be much appreciated. 我对如何真正实现此身份验证有些不确定,因此,无论多么基础,任何帮助都将不胜感激。
1 个解决方案
解决方案1
2 2018-12-29 16:21:54
The most important thing is to ensure that Tomcat doesn't install its own Authenticator in response to your specifying BASIC as the authentication scheme. 最重要的是要确保Tomcat不安装自己的Authenticator来响应您将BASIC指定为身份验证方案。 Extending from AuthenticatorBase is a great idea, and you can avoid Tomcat's standard authenticator by configuring your authenticator as a in your application's META-INF/context.xml file. 从AuthenticatorBase进行扩展是一个好主意,并且可以通过在应用程序的META-INF / context.xml文件中将身份验证器配置为来避免Tomcat的标准身份验证器。
Next, you'll be required to implement two methods on AuthenticatorBase : 接下来,您将需要在AuthenticatorBase上实现两个方法:
-
boolean doAuthenticate(Request request, HttpServletResponse response) -
String getAuthMethod()
The second one is easy: return whatever you want. 第二个很简单:返回任何您想要的。 You might want to make it make some kind of sense, like "IBMSAM" . 您可能想要使其具有某种意义,例如"IBMSAM" 。
The first one is where the meat of the authenticator lies, of course. 当然,第一个是身份验证者的肉所在。
If you can get everything you need from the request , then that's great: it's already there, so you can get what you need. 如果您可以从request获得所需的一切,那就太好了:它已经存在,因此您可以获取所需的东西。 Your method needs to do two things: 您的方法需要做两件事:
- Set the
principalof the request to an appropriate value (egrequest.setUserPrincipal(new GenericPrincipal(username, null, roles));将请求的principal设置为适当的值(例如request.setUserPrincipal(new GenericPrincipal(username, null, roles)); - Return
true返回true
I think once you get it working with a straightforward situation, you'll be able to play-around with the edge-cases from there. 我认为,一旦您在一个简单的情况下使用它,您就可以从那里玩转边缘游戏。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.