How do I use Form Authentication with Tomcat?
???web.xml
???
<?xml version="1.0" encoding="UTF-8"?><web-app id="tomcat-demo" version="2.4" xmlns="http://java.sun.com/xml/ns/j2ee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd"><servlet><servlet-name>TestServlet</servlet-name><servlet-class>test.TestServlet</servlet-class></servlet><servlet-mapping><servlet-name>TestServlet</servlet-name><url-pattern>/test</url-pattern></servlet-mapping><security-constraint><web-resource-collection><web-resource-name>TestServlet requires authentication</web-resource-name><url-pattern>/test</url-pattern><http-method>GET</http-method><http-method>POST</http-method></web-resource-collection><auth-constraint><role-name>tomcat</role-name></auth-constraint><user-data-constraint><!-- transport-guarantee can be CONFIDENTIAL, INTEGRAL, or NONE --><transport-guarantee>NONE</transport-guarantee></user-data-constraint></security-constraint><login-config> <!-- BASIC,DIGEST,FORM,CLIENT-CERT--><auth-method>FORM</auth-method><form-login-config><form-login-page>/login.html</form-login-page><form-error-page>/login-failed.html</form-error-page></form-login-config></login-config></web-app>
?
??
?? ?注:transport-guarantee的值为CONFIDENTIAL,INTEGRAL时,需要配置ssl.
?
?? ?login.html
?
<form method="POST" action="j_security_check"><table><tr><td colspan="2">Login to the Tomcat-Demo application:</td></tr><tr><td>Name:</td><td><input type="text" name="j_username" /></td></tr><tr><td>Password:</td><td><input type="password" name="j_password"/ ></td></tr><tr><td colspan="2"><input type="submit" value="Go" /></td></tr></table></form>
?
??
??? login-failed.html
???
<p>Sorry, login failed!</p>
?
?? TestServlet.java
??
package test;import java.io.IOException;import java.io.PrintWriter;import java.util.Enumeration;import javax.servlet.http.HttpServlet;import javax.servlet.http.HttpServletRequest;import javax.servlet.http.HttpServletResponse;import javax.servlet.http.HttpSession;public class TestServlet extends HttpServlet {private static final long serialVersionUID = 1L;protected void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException {response.setContentType("text/html");PrintWriter out = response.getWriter();out.println("Welcome '" + request.getRemoteUser() + "'");out.println("<br/><hr/>");Enumeration headerNames = request.getHeaderNames();while (headerNames.hasMoreElements()) {String headerName = (String) headerNames.nextElement();out.print("Header Name: <em>" + headerName);String headerValue = request.getHeader(headerName);out.print("</em>, Header Value: <em>" + headerValue);out.println("</em><br/>");}out.println("<br/><hr/>");out.println("<a href=\"logout.jsp\">Click here to log out</a>");}}?
??另:这种方式是验证是基于tomcat-users.xml,当然也可以继承org.apache.catalina.realm.DataSourceRealm.DataSourceRealm?
?
?? 说明:j_security_check正确的说应该是JAAS验证,原理是当用户在java程序中(正确的说通过JVM)通过网络或者IO的方式访问资源时,JVM会使用java.security.manager或者其他 java验证的类做代理去访问。在访问之前jvm会检验访问者是否有权访问。那么如何确认用户是否有权访问呢?jvm会通过 java.security.policy类查找授权用户的权限。
?
?
? ?参考:http://apps.hi.baidu.com/share/detail/963439
??????????? http://download.oracle.com/javase/1.5.0/docs/guide/security/jaas/JAASRefGuide.html