首先在 tomcat-users.xml中配置
<tomat-users>
<role rolename="Admin"/>
<role rolename="Member"/>
<role rolename="Guest"/>
<user username="Stupid Wolf" password="admin" roles="Admin, Member, Guest"/>
</tomcat-users>
接着在 web.xml中配置
<security-role>
<role-name>Admin</role-name>
</security-role>
<!--授权时,容器将把开发商特定的role信息映射到这里的找到的<role-name>中 -->
定义资源/方法约束
<security-constraint>
<web-resource-collection>
<web-resource-name>Resources</web-resource-name>
<url-pattern>/url of files</url-pattern>
<http-method>POST</http-method>
<http-method>GET</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>Admin</role-name>
</auth-constraint>
</security-constraint>
在web.xml添加
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/login.html</form-login-page>
<form-error-page>/error.html</form-error-page>
</form-login-config>
其中login.html error.html的代码分别为
<!DOCTYPE html>
<html>
<head>
<title>login.html</title>
<meta name="keywords" content="keyword1,keyword2,keyword3">
<meta name="description" content="this is my page">
<meta name="content-type" content="text/html; charset=UTF-8">
<!--<link rel="stylesheet" type="text/css" href="./styles.css">-->
</head>
<body>
<form name="f1" id="f1" action="j_security_check" method="post">
<table>
<tr>
<td>Login:</td>
<td><input type="text" name="j_username" id="login"></td>
</tr>
<tr>
<td>Password:</td>
<td><input type="password" name="j_password" id="password"></td>
</tr>
<tr>
<td colspan="2"><input type="submit"></td>
</tr>
</table>
</form>
</body>
</html>
<!DOCTYPE html>
<html>
<head>
<title>error.html</title>
<meta name="keywords" content="keyword1,keyword2,keyword3">
<meta name="description" content="this is my page">
<meta name="content-type" content="text/html; charset=UTF-8">
<meta charset="UTF-8">
<!--<link rel="stylesheet" type="text/css" href="./styles.css">-->
</head>
<body>
error!
身份认证错误 <br>
</body>
</html>
最后,我们也就完成了未经认证的客户请求一个没有传输保证的受限资源
附上结果截图:
其中 Security/test.jsp为一个受限的资源
当未经授权的用户访问test.jsp时,会弹出一个身份认证的表单
输入正确的身份之后,访问成功,否则,访问失败