安全

servlte安全是通过web服务器设置用户组进行的。

与之相关的有三个注解类

ServletSecurity

HttpConstraint value(); //HttpConstraint 注解值

HttpMethodConstraint[] httpMethodConstraints();//http方法限定的数组

HttpConstraint

ServletSecurity.EmptyRoleSemantic value(); //枚举值

java.lang.String[] rolesAllowed(); //角色组

ServletSecurity.TransportGuarantee transportGuarantee();//枚举值

HttpMethodConstraint

ServletSecurity.EmptyRoleSemantic value(); //方法名字

java.lang.String[] rolesAllowed(); //角色组

ServletSecurity.TransportGuarantee transportGuarantee();//枚举值

在ServletSecurity有两个枚举类

 enum EmptyRoleSemantic {
	       
	        PERMIT,
	        
	        DENY
	    }

   enum TransportGuarantee {
	     
	        NONE,
	       
	        CONFIDENTIAL
	    }

ServletSecurity注解类是作用在servlte的，一个servlte只能对应一个ServletSecurity。

基本使用

1、

因为安全是基于web容器的，所以你必须到容器里面声明用户组。以tomcat为例子，首先到tomcat-user.xml

<?xml version="1.0" encoding="UTF-8"?>
<!--
  Licensed to the Apache Software Foundation (ASF) under one or more
  contributor license agreements.  See the NOTICE file distributed with
  this work for additional information regarding copyright ownership.
  The ASF licenses this file to You under the Apache License, Version 2.0
  (the "License"); you may not use this file except in compliance with
  the License.  You may obtain a copy of the License at

      http://www.apache.org/licenses/LICENSE-2.0

  Unless required by applicable law or agreed to in writing, software
  distributed under the License is distributed on an "AS IS" BASIS,
  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  See the License for the specific language governing permissions and
  limitations under the License.
--><tomcat-users>
<!--
  NOTE:  By default, no user is included in the "manager-gui" role required
  to operate the "/manager/html" web application.  If you wish to use this app,
  you must define such a user - the username and password are arbitrary.
-->
<!--
  NOTE:  The sample user and role entries below are wrapped in a comment
  and thus are ignored when reading this file. Do not forget to remove
  <!.. ..> that surrounds them.
-->

  <role rolename="tomcat"/>
  <role rolename="role1"/>
  <user username="tomcat" password="tomcat" roles="tomcat"/>
  <user username="both" password="tomcat" roles="tomcat,role1"/>
  <user username="role1" password="tomcat" roles="role1"/>

  
</tomcat-users>

上述代码中有声明角色tomcat、role1，和声明三个账户Tomcat、both、role1

2、

配置web.xml添加FORM认证模式

	<login-config>
		<auth-method>FORM</auth-method>
		<form-login-config>
			<form-login-page>/login.html</form-login-page>
			<form-error-page>/loginerror.html</form-error-page>
		</form-login-config>
	</login-config>

其中login.html中 name必须是j_username和j_password，action 必须是j_security_check

    <!DOCTYPE html>  
    <html>  
      <head>  
        <title>login.html</title>  
      </head>  
        
      <body>  
           
         <form method="post" action="j_security_check">  
                        用户名<input type="text"  name="j_username"/><br/>  
                        密码  <input type="text"  name="j_password"/><br/>  
              <input type="submit" value="登录"/>  
         </form>  
      </body>  
    </html>  

3、

现在直接可以在servlte类上使用

@WebServlet("/TestSafeLogin2")
@ServletSecurity(value=@HttpConstraint(value=EmptyRoleSemantic.PERMIT,rolesAllowed="tomcat"),
httpMethodConstraints = @HttpMethodConstraint(value="POST",
emptyRoleSemantic = EmptyRoleSemantic.DENY))
public class at2 extends HttpServlet {

	@Override
	protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
		// TODO Auto-generated method stub
		System.out.println("doGet"+req.getRemoteUser());
		
	}
}

这个例子表示 post方法不能访问，且必须是tomcat用户组访问。

之后达到的效果就是访问TestSafeLogin2会先去跳转到login.xml根据tomcat-user.xml中的用户信息进行登录，登录正确且用户权限是正确的则可以访问，否则就不能访问。

web.xml中配置

	<security-constraint>
		<web-resource-collection>
			<web-resource-name>demo</web-resource-name>
			<url-pattern>/TestSafeLogin</url-pattern>
			<http-method>GET</http-method>
			<http-method>POST</http-method>
		</web-resource-collection>
		<auth-constraint>
			<role-name>tomcat</role-name>
		</auth-constraint>

	</security-constraint>
	<security-role>
		<role-name>tomcat</role-name>
	</security-role>

@WebServlet("/TestSafeLogin")
public class at extends HttpServlet {

	@Override
	protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
		// TODO Auto-generated method stub
		System.out.println("doGet"+req.getRemoteUser());
		
	}
	  
}

它还有编程式添加，而且在j2ee规范中注册form还有其他三种认证方式

其他三种认证方式