Tomcat URL身份验证例如:https:// user:password@app.wibble.com
[英]Tomcat URL Authentication e.g: https://user:password@app.wibble.com
问题描述
I am writing a tomcat app, and have a need to do authentication within the URL like this: 
我正在编写一个tomcat应用程序,并且需要在URL中进行身份验证,如下所示:
https://user:password@app.wibble.com https://开头的用户:password@app.wibble.com
Except for the life of me i'm not sure how to set it up or able to find the docs to read up on it, clearly my google skills need work. 除了我的生活,我不知道如何设置或能够找到文档阅读它,显然我的谷歌技能需要工作。
Can anyone tell me where i should be looking for this kind of info or where to start? 任何人都可以告诉我应该在哪里寻找这种信息或从哪里开始?
Cheers 干杯
Andy 安迪
3 个解决方案
解决方案1
2 已采纳 2010-05-14 20:56:47
Authenticating that way is called HTTP BASIC, which may help with your searching :) 验证这种方式称为HTTP BASIC,这可能有助于您的搜索:)
Essentially you need an element in your web.xml like this 基本上你需要像你这样的web.xml中的元素
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>myRealm</realm-name>
</login-config>
Then you need to set up a realm for your users: 然后,您需要为您的用户设置一个领域:
http://tomcat.apache.org/tomcat-6.0-doc/realm-howto.html#Configuring%20a%20Realm http://tomcat.apache.org/tomcat-6.0-doc/realm-howto.html#Configuring%20a%20Realm
Then you need to create some users in the tomcat-users.xml file 然后,您需要在tomcat-users.xml文件中创建一些用户
Now you can start using <security-constraint> elements in your web.xml to manage access. 现在,您可以开始在web.xml中使用<security-constraint>元素来管理访问。
As an aside, with modern browsers, you must actually use container managed security if you want to use BASIC. 另外,对于现代浏览器,如果要使用BASIC,则必须实际使用容器管理的安全性。 Sometimes people try to parse the request in a servlet and get a username/password out of it. 有时人们会尝试在servlet中解析请求并从中获取用户名/密码。 Modern browsers will 'protect' you from disclosing your password needlessly by not putting the login and password in the header unless an initial call to the server without it fails with a challenge for BASIC credentials. 现代浏览器将通过不将登录名和密码放在标题中来“保护”您免于泄露密码,除非在没有它的情况下对服务器进行初始调用失败并且对BASIC凭证提出质疑。
解决方案2
0 2010-05-14 20:31:46
I don't think that's a legal URL. 我不认为这是一个合法的URL。 If I'm reading the RFC correctly, '@' aren't legal in the host section - app.wibble.com - of a URL and http urls don't have the user and password sections. 如果我正确地阅读RFC ,“@”在主机部分 - app.wibble.com中是不合法的 - URL和http网址没有用户和密码部分。 Email and FTP ones do, but not http. 电子邮件和FTP可以,但不是http。
Maybe https://app.wibble.com/user/password , but I'd advise against putting the password in the URL. 也许https://app.wibble.com/user/password ,但我建议不要在网址中输入密码。 It'd end up in some cache where it can be found. 它最终会在某个缓存中找到它。
解决方案3
0 2010-05-14 20:33:19
It's up to the client to take the credentials from the URL and put them into the correct headers for the supported authentication method (like HTTP Basic or Digest). 客户端可以从URL获取凭据并将其放入支持的身份验证方法(如HTTP Basic或Digest)的正确标头中。 The server will just receive the location ("/", in this case) and the WWW-Authenticate header, which should be processed by Tomcat if you have container-managed authentication set up correctly. 服务器将只接收位置(在本例中为“/”)和WWW-Authenticate标头,如果您正确设置容器管理的身份验证,则应由Tomcat处理。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.