[英]Tomcat Basic Authentication Permissions Issue
I currently have a web service running some basic authentication through Tomcat.我目前有一个 web 服务通过 Tomcat 运行一些基本身份验证。 I get the login box to pop up fine, and I can log in with accounts I have defined in the tomcat-users.xml file.
我可以正常弹出登录框,并且可以使用我在 tomcat-users.xml 文件中定义的帐户登录。 However, when it comes to defining permissions based on roles, I'm having some issues.
但是,在基于角色定义权限时,我遇到了一些问题。
Currently, I have three roles: manager, admin, and user.目前,我拥有三个角色:经理、管理员和用户。 I have a few methods which should be only accessible by, say, an admin role.
我有一些方法只能由管理员角色访问。 I can log in as my manager/admin/user super account and see everything just fine- but I can do the same as a normal user as well.
我可以作为我的经理/管理员/用户超级帐户登录并查看一切正常 - 但我也可以像普通用户一样做同样的事情。
The methods are defined like so:这些方法的定义如下:
@Path("/Test")
@RolesAllowed("admin")
public class Test
{
@GET
@RolesAllowed("user")
public methodThatMyUsersCanAcess{}
@GET
@Path("/Secure")
@RolesAllowed("admin")
public methodThatOnlyAdminsCanAcess{}
}
I'm really not sure how a 'user' role would be able to access the second method, but somehow it still happens.我真的不确定“用户”角色如何能够访问第二种方法,但不知何故它仍然会发生。
After some more investigation, I discovered that using @RolesAllowed
was doing nothing in my code due to the way my web.xml file was configured.经过进一步调查,我发现使用
@RolesAllowed
在我的代码中没有做任何事情,因为我的 web.xml 文件的配置方式。 I decided to move in the direction of setting authentication by URI path.我决定朝着通过 URI 路径设置身份验证的方向前进。 This is done through modifying the web.xml to allow a subset of users to access each path under separate
<security-constraint>
tags.这是通过修改 web.xml 以允许一部分用户访问单独
<security-constraint>
标签下的每个路径来完成的。 I found my best resource for this here: http://www.coderanch.com/t/176095/java-Web-Component-SCWCD/certification/auth-constraint-confusion in the second post.我在这里找到了最好的资源: http://www.coderanch.com/t/176095/java-Web-Component-SCWCD/certification/auth-constraint-confusion在第二篇文章中。
The key point is to configure RolesAllowedResourceFilterFactory
in web.xml, as below:关键是在web.xml中配置
RolesAllowedResourceFilterFactory
,如下:
<servlet>
<servlet-name>jersey-servlet</servlet-name>
<servlet-class>com.sun.jersey.spi.spring.container.servlet.SpringServlet</servlet-class>
<init-param>
<param-name>com.sun.jersey.config.property.packages</param-name>
<param-value>com.mycompany.mobile.rest</param-value>
</init-param>
<init-param>
<param-name>com.sun.jersey.api.json.POJOMappingFeature</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>com.sun.jersey.config.feature.Trace</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>com.sun.jersey.spi.container.ContainerRequestFilters</param-name>
<param-value>com.mycompany.mobile.rest.filter.RestSecurityFilter</param-value>
</init-param>
<init-param>
<param-name>com.sun.jersey.spi.container.ResourceFilters</param-name>
<param-value>com.sun.jersey.api.container.filter.RolesAllowedResourceFilterFactory</param-value>
</init-param>
<load-on-startup>1</load-on-startup>
</servlet>
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.