Tomcat内置的简单安全域配置

一. 内存域配置

内存域是由org.apache.catalina.realm.MemoryRealm类来实现。默认使用＜CATALINA_HOME＞/conf/tomcat-users.xml来配置登陆用户账号信息。

在Eclipse中如下：

配置MemoryRealm的步骤：

1. 在web.xml中配置安全约束，角色和认证方式。
   

<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://java.sun.com/xml/ns/javaee" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" id="WebApp_ID" version="2.5">
  <display-name>MemoryRealmAuth</display-name>
  <welcome-file-list>
    <welcome-file>index.html</welcome-file>
    <welcome-file>index.htm</welcome-file>
    <welcome-file>index.jsp</welcome-file>
    <welcome-file>default.html</welcome-file>
    <welcome-file>default.htm</welcome-file>
    <welcome-file>default.jsp</welcome-file>
  </welcome-file-list>
  
  <!-- 配置安全约束 -->
  <security-constraint>
    <display-name>MyApp Config Security Constraint</display-name>
    <web-resource-collection>
        <web-resource-name>Protected Area</web-resource-name>
        <!-- 定义受保护的Web资源的URL -->
        <url-pattern>/*</url-pattern>
    </web-resource-collection>
    
    <auth-constraint>
        <!-- 定义有权访问的角色 -->
        <role-name>admin</role-name>
        <role-name>manager</role-name>
    </auth-constraint>
  </security-constraint>
  
  <login-config>
    <!-- 采用MD5认证 -->
    <auth-method>DIGEST</auth-method>
    <realm-name>MyApp realm (shown on input dialog)</realm-name>
  </login-config>
</web-app>

2. 在＜CATALINA_HOME＞/conf/tomcat-users.xml中配置用户，密码和角色的映射关系。

<?xml version="1.0" encoding="UTF-8"?>
<!--
  Licensed to the Apache Software Foundation (ASF) under one or more
  contributor license agreements.  See the NOTICE file distributed with
  this work for additional information regarding copyright ownership.
  The ASF licenses this file to You under the Apache License, Version 2.0
  (the "License"); you may not use this file except in compliance with
  the License.  You may obtain a copy of the License at

      http://www.apache.org/licenses/LICENSE-2.0

  Unless required by applicable law or agreed to in writing, software
  distributed under the License is distributed on an "AS IS" BASIS,
  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  See the License for the specific language governing permissions and
  limitations under the License.
-->
<tomcat-users version="1.0" xmlns="http://tomcat.apache.org/xml" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://tomcat.apache.org/xml tomcat-users.xsd">
<!--
  NOTE:  By default, no user is included in the "manager-gui" role required
  to operate the "/manager/html" web application.  If you wish to use this app,
  you must define such a user - the username and password are arbitrary. It is
  strongly recommended that you do NOT use one of the users in the commented out
  section below since they are intended for use with the examples web
  application.
-->
<!--
  NOTE:  The sample user and role entries below are intended for use with the
  examples web application. They are wrapped in a comment and thus are ignored
  when reading this file. If you wish to configure these users for use with the
  examples web application, do not forget to remove the <!.. ..> that surrounds
  them. You will also need to set the passwords to something appropriate.
-->
<!--
  <role rolename="tomcat"/>
  <role rolename="role1"/>
  <user username="tomcat" password="<must-be-changed>" roles="tomcat"/>
  <user username="both" password="<must-be-changed>" roles="tomcat,role1"/>
  <user username="role1" password="<must-be-changed>" roles="role1"/>
-->

    <role rolename="admin"/>
    <role rolename="manager"/>
    <user username="bee" password="123456" roles="admin,manager"/>
</tomcat-users>

3. 在META-INF/context.xml中配置Realm元素
   

<?xml version="1.0" encoding="UTF-8"?>
<Context>
    <Realm className="org.apache.catalina.realm.MemoryRealm"/>
</Context>

4. 重启Tomcat并测试
   
   输入用户名和密码，成功登陆。
   
   登陆页面：

<%@ page language="java" contentType="text/html; charset=UTF-8"
    pageEncoding="UTF-8"%>
<!DOCTYPE html>
<html>
<head>
<meta charset="UTF-8">
<title>登陆</title>
</head>
<body>
    <p style="font-family:微软雅黑;font-weight:bold;font-size:30px;color:red;">
        登陆用户：<br/>
        <%=request.getRemoteUser() %> <br/>
    </p>
    <hr/>
    <p style="font-family:微软雅黑;font-weight:bold;font-size:30px;color:green;">
        用户IP：<br/>
        <%=request.getRemoteAddr() %>
    </p>
</body>
</html>

二. 内存域的其他配置

• web.xml的分角色控制

<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://java.sun.com/xml/ns/javaee" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" id="WebApp_ID" version="2.5">
  <display-name>MemoryRealmAuth</display-name>
  <welcome-file-list>
    <welcome-file>index.html</welcome-file>
    <welcome-file>index.htm</welcome-file>
    <welcome-file>index.jsp</welcome-file>
    <welcome-file>default.html</welcome-file>
    <welcome-file>default.htm</welcome-file>
    <welcome-file>default.jsp</welcome-file>
  </welcome-file-list>
  
  <!-- 配置安全约束1 -->
  <security-constraint>
    <display-name>Admin Security Constraint</display-name>
    <web-resource-collection>
        <web-resource-name>Admin Protected Area</web-resource-name>
        <!-- 定义受保护的Web资源的URL（可多个） -->
        <url-pattern>/admin/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
        <!-- 定义有权访问的角色 -->
        <role-name>admin</role-name>
    </auth-constraint>
  </security-constraint>
 
  <!-- 配置安全约束2 -->
  <security-constraint>
    <display-name>Guest Security Constraint</display-name>
    <web-resource-collection>
        <web-resource-name>Guest Protected Area</web-resource-name>
        <!-- 定义受保护的Web资源的URL（可多个） -->
        <url-pattern>/guest/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
        <!-- 定义有权访问的角色 -->
        <role-name>guest</role-name>
    </auth-constraint>
  </security-constraint>
  
  <login-config>
    <!-- 自定义登陆界面 -->
    <auth-method>FORM</auth-method>
    <realm-name>MyApp realm(shown on input dialog)</realm-name>
    <form-login-config>
        <form-login-page>/login.jsp</form-login-page>
        <form-error-page>/error.jsp</form-error-page>
    </form-login-config>
  </login-config>

• login.jsp

<%@ page language="java" contentType="text/html; charset=UTF-8"
    pageEncoding="UTF-8"%>
<!DOCTYPE html>
<html>
<head>
<meta charset="UTF-8">
<title>登陆</title>
</head>
<body>
    <!-- 这里action必须是j_security_check -->
    <form action="j_security_check" method="POST">
        <table border="0" cellspacing="10" cellpadding="2">
            <tr>
                <th>用户名：</th>
                <!-- 这里必须是j_username -->
                <td><input type="text" name="j_username"/></td>
            </tr>
            <tr>
                <th>密码：</th>
                <!-- 这里必须是j_password -->
                <td><input type="password" name="j_password"/></td>
            </tr>
            <tr>
                <td><input type="submit" value="登陆"/></td>
                <td><input type="reset" value="重置"/></td>
            </tr>
        </table>
    </form>
</body>
</html>

• error.jsp

<%@ page language="java" contentType="text/html; charset=UTF-8"
    pageEncoding="UTF-8"%>
<!DOCTYPE html>
<html>
<head>
<meta charset="UTF-8">
<title>账号错误</title>
</head>
<body>
    <p style="font-family:微软雅黑;font-weight:bold;font-size:30px;color:red;">
        用户名或者口令错！
    </p>
</body>
</html>