stackoom
  简体   繁体   中英

Tomcat Basic Authentication Permissions Issue

 原文  2011-05-31 20:56:56       java/ authentication/ tomcat/ jersey

Question

I currently have a web service running some basic authentication through Tomcat. I get the login box to pop up fine, and I can log in with accounts I have defined in the tomcat-users.xml file. However, when it comes to defining permissions based on roles, I'm having some issues.

Currently, I have three roles: manager, admin, and user. I have a few methods which should be only accessible by, say, an admin role. I can log in as my manager/admin/user super account and see everything just fine- but I can do the same as a normal user as well.

The methods are defined like so:

@Path("/Test")
@RolesAllowed("admin")
public class Test
{
    @GET
    @RolesAllowed("user")
    public methodThatMyUsersCanAcess{}

    @GET
    @Path("/Secure")
    @RolesAllowed("admin")
    public methodThatOnlyAdminsCanAcess{}
}

I'm really not sure how a 'user' role would be able to access the second method, but somehow it still happens.

2 answers

solution1
 1 ACCPTED  2011-06-02 14:29:54

After some more investigation, I discovered that using @RolesAllowed was doing nothing in my code due to the way my web.xml file was configured. I decided to move in the direction of setting authentication by URI path. This is done through modifying the web.xml to allow a subset of users to access each path under separate <security-constraint> tags. I found my best resource for this here: http://www.coderanch.com/t/176095/java-Web-Component-SCWCD/certification/auth-constraint-confusion in the second post.

solution2
 0  2012-03-27 16:10:04

The key point is to configure RolesAllowedResourceFilterFactory in web.xml, as below:

<servlet> 
    <servlet-name>jersey-servlet</servlet-name> 
    <servlet-class>com.sun.jersey.spi.spring.container.servlet.SpringServlet</servlet-class> 
        <init-param> 
            <param-name>com.sun.jersey.config.property.packages</param-name> 
            <param-value>com.mycompany.mobile.rest</param-value> 
        </init-param>
        <init-param>
            <param-name>com.sun.jersey.api.json.POJOMappingFeature</param-name>
            <param-value>true</param-value>
        </init-param>
        <init-param>
            <param-name>com.sun.jersey.config.feature.Trace</param-name>
            <param-value>true</param-value>
        </init-param>
        <init-param>
            <param-name>com.sun.jersey.spi.container.ContainerRequestFilters</param-name>
            <param-value>com.mycompany.mobile.rest.filter.RestSecurityFilter</param-value>
        </init-param>
        <init-param>
            <param-name>com.sun.jersey.spi.container.ResourceFilters</param-name>
            <param-value>com.sun.jersey.api.container.filter.RolesAllowedResourceFilterFactory</param-value>
        </init-param>
    <load-on-startup>1</load-on-startup> 
</servlet>

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Jaas Basic Authentication tomcat 7 Override Tomcat basic authentication Basic SpringMVC + Tomcat issue amazon beanstalk tomcat basic authentication Tomcat Migration - Authentication Issue BASIC Authentication and SSL configuration failed in Tomcat 6.0 Embedded Tomcat with basic authentication via code Basic authentication in Tomcat6 not working on directory how to skip http basic authentication in tomcat? Error 403 when using Basic Authentication with Tomcat 8
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM