我已经配置 tomcat 进行基本身份验证。
我不希望任何人访问我的 Web 应用程序,但该应用程序正在提供 Web 服务。
所以我想从基本身份验证中绕过特定的IP地址。(该IP不应该需要身份验证。)
tomcat-users.xml:
<tomcat-users>
<user username="user" password="password" roles="user"/>
</tomcat-users>
网络.xml:
<security-constraint>
<web-resource-collection>
<web-resource-name>Entire Application</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>user</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>You must enter your login credentials to continue</realm-name>
</login-config>
<security-role>
<description>
The role that is required to log in to the Application
</description>
<role-name>user</role-name>
</security-role>
谢谢,
切坦。
如果您只想允许几个 IP 地址并禁止其他所有人远程地址过滤阀 http://tomcat.apache.org/tomcat-7.0-doc/config/valve.html#Remote_Address_Filter就是你所需要的。
如果您希望来自未知 IP 地址的客户端看到基本登录对话框并可以登录,您需要自定义Valve http://tomcat.apache.org/tomcat-7.0-doc/config/valve.html。的来源RemoteAddrValve http://grepcode.com/file/repo1.maven.org/maven2/org.apache.geronimo.ext.tomcat/catalina/7.0.39.2/org/apache/catalina/valves/RemoteAddrValve.java/(它是父类RequestFilterValve http://grepcode.com/file/repo1.maven.org/maven2/org.apache.geronimo.ext.tomcat/catalina/7.0.39.2/org/apache/catalina/valves/RequestFilterValve.java#RequestFilterValve是一个很好的起点。看一看我以前的回答也是 https://stackoverflow.com/questions/7553967/getting-a-value-from-httpservletrequest-getremoteuser-in-tomcat-without-modifyi/7560802#7560802.
无论如何,下面是概念验证代码。它放置了一个充满Principal
to the Request
如果客户端来自受信任的 IP,那么登录模块将不会要求输入密码。否则它不会触及Request
对象和用户可以照常登录。
import java.io.IOException;
import java.security.Principal;
import java.util.ArrayList;
import java.util.List;
import javax.servlet.ServletException;
import org.apache.catalina.connector.Request;
import org.apache.catalina.connector.Response;
import org.apache.catalina.realm.GenericPrincipal;
import org.apache.catalina.valves.ValveBase;
public class AutoLoginValve extends ValveBase {
private String trustedIpAddress;
public AutoLoginValve() {
}
@Override
public void invoke(final Request request, final Response response)
throws IOException, ServletException {
final String remoteAddr = request.getRemoteAddr();
final boolean isTrustedIp = remoteAddr.equals(trustedIpAddress);
System.out.println("remoteAddr: " + remoteAddr + ", trusted ip: "
+ trustedIpAddress + ", isTrustedIp: " + isTrustedIp);
if (isTrustedIp) {
final String username = "myTrusedUser";
final String credentials = "credentials";
final List<String> roles = new ArrayList<String>();
roles.add("user");
roles.add("admin");
final Principal principal = new GenericPrincipal(username,
credentials, roles);
request.setUserPrincipal(principal);
}
getNext().invoke(request, response);
}
public void setTrustedIpAddress(final String trustedIpAddress) {
System.out.println("setTrusedIpAddress " + trustedIpAddress);
this.trustedIpAddress = trustedIpAddress;
}
}
以及一个配置示例server.xml
:
<Valve className="autologinvalve.AutoLoginValve"
trustedIpAddress="127.0.0.1" />
本文内容由网友自发贡献,版权归原作者所有,本站不承担相应法律责任。如您发现有涉嫌抄袭侵权的内容,请联系:hwhale#tublm.com(使用前将#替换为@)