Tomcat 添加 UserDatabase ResourceLink 后验证失败
Tomcat authentication failed after adding UserDatabase ResourceLink
问题:
添加 Tomcat ResourceLink <ResourceLink name="UserDatabase" global="UserDatabase" type="org.apache.catalina.UserDatabase"/> 后,我的身份验证被破坏了。我可以登录并执行 REST CALL,让我从 tomcat-users.xml 获取所有用户。然后我重新加载页面,出现 403 - Forbidden 错误。
我有两个 Web 应用程序。一个是从数据库(后端)获取数据的 REST API,另一个 Web 应用程序用于管理数据库(前端)。
所以我为我的前端应用程序添加了一个 FORM 身份验证,为我的后端添加了一个 BASIC 身份验证。用户存储在 tomcat-users.xml 文件中 -> 一切正常
现在我想用 frontend/backend 以编程方式编辑 tomcat-users,我发现了这个 how to programmatically add users to tomcat UserDatabaseRealm?
我将 link 中的代码添加到我的 REST API 中,然后调用 URL /api/admin/tomcat/user 我得到了所有用户和用户角色。但是在这个页面上调用一次之后,我总是得到一个 403 - Forbidden 错误!
如果我不执行 REST CALL 或只是删除 ResourceLink,问题就不会发生。
代码/错误
(看Tomcat日志最后两行,为什么第一次找到角色,第二次找不到?)
Tomcat 日志:
登录成功/第一次调用页面后的日志:
[http-nio-8080-exec-8] org.apache.catalina.authenticator.AuthenticatorBase.invoke Security checking request GET /es_admin/admin/setting.jsp
[http-nio-8080-exec-8] org.apache.catalina.authenticator.AuthenticatorBase.invoke We have cached auth type FORM for principal GenericPrincipal[admin(CR8000,SOLIDWORKS,admin,)]
[http-nio-8080-exec-8] org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking constraint 'SecurityConstraint[Adminstrative Pages]' against GET /admin/setting.jsp --> true
[http-nio-8080-exec-8] org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking constraint 'SecurityConstraint[User Pages]' against GET /admin/setting.jsp --> false
[http-nio-8080-exec-8] org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking constraint 'SecurityConstraint[Adminstrative Pages]' against GET /admin/setting.jsp --> true
[http-nio-8080-exec-8] org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking constraint 'SecurityConstraint[User Pages]' against GET /admin/setting.jsp --> false
[http-nio-8080-exec-8] org.apache.catalina.authenticator.AuthenticatorBase.invoke Calling hasUserDataPermission()
[http-nio-8080-exec-8] org.apache.catalina.realm.RealmBase.hasUserDataPermission User data constraint has no restrictions
[http-nio-8080-exec-8] org.apache.catalina.authenticator.AuthenticatorBase.invoke Calling authenticate()
[http-nio-8080-exec-8] org.apache.catalina.authenticator.AuthenticatorBase.checkForCachedAuthentication Bereits authentifiziert [admin]
[http-nio-8080-exec-8] org.apache.catalina.authenticator.AuthenticatorBase.invoke Calling accessControl()
[http-nio-8080-exec-8] org.apache.catalina.realm.RealmBase.hasResourcePermission Checking roles GenericPrincipal[admin(CR8000,SOLIDWORKS,admin,)]
[http-nio-8080-exec-8] org.apache.catalina.realm.RealmBase.hasResourcePermission Role found: admin
[http-nio-8080-exec-8] org.apache.catalina.authenticator.AuthenticatorBase.invoke Successfully passed all security constraints
重新加载页面或切换到另一个页面后的日志:
[http-nio-8080-exec-15] org.apache.catalina.authenticator.AuthenticatorBase.invoke Security checking request GET /es_admin/admin/setting.jsp
[http-nio-8080-exec-15] org.apache.catalina.authenticator.AuthenticatorBase.invoke We have cached auth type FORM for principal GenericPrincipal[admin(CR8000,SOLIDWORKS,admin,)]
[http-nio-8080-exec-15] org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking constraint 'SecurityConstraint[User Pages]' against GET /admin/setting.jsp --> false
[http-nio-8080-exec-15] org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking constraint 'SecurityConstraint[Adminstrative Pages]' against GET /admin/setting.jsp --> true
[http-nio-8080-exec-15] org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking constraint 'SecurityConstraint[User Pages]' against GET /admin/setting.jsp --> false
[http-nio-8080-exec-15] org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking constraint 'SecurityConstraint[Adminstrative Pages]' against GET /admin/setting.jsp --> true
[http-nio-8080-exec-15] org.apache.catalina.authenticator.AuthenticatorBase.invoke Calling hasUserDataPermission()
[http-nio-8080-exec-15] org.apache.catalina.realm.RealmBase.hasUserDataPermission User data constraint has no restrictions
[http-nio-8080-exec-15] org.apache.catalina.authenticator.AuthenticatorBase.invoke Calling authenticate()
[http-nio-8080-exec-15] org.apache.catalina.authenticator.AuthenticatorBase.checkForCachedAuthentication Bereits authentifiziert [admin]
[http-nio-8080-exec-15] org.apache.catalina.authenticator.AuthenticatorBase.invoke Calling accessControl()
[http-nio-8080-exec-15] org.apache.catalina.realm.RealmBase.hasResourcePermission Checking roles GenericPrincipal[admin(CR8000,SOLIDWORKS,admin,)]
[http-nio-8080-exec-15] org.apache.catalina.realm.RealmBase.hasResourcePermission No role found: admin
[http-nio-8080-exec-15] org.apache.catalina.authenticator.AuthenticatorBase.invoke Failed accessControl() test
web.xml - 前端
<!DOCTYPE web-app PUBLIC
"-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN"
"http://java.sun.com/dtd/web-app_2_3.dtd" >
<web-app>
<display-name>frontend</display-name>
<welcome-file-list>
<welcome-file>login.jsp</welcome-file>
</welcome-file-list>
<!--Defines Security Constraint -->
<security-constraint>
<display-name>frontend admin</display-name>
<web-resource-collection>
<web-resource-name>Adminstrative Pages</web-resource-name>
<description/>
<url-pattern>/admin/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<description/>
<role-name>admin</role-name>
</auth-constraint>
</security-constraint>
<security-constraint>
<display-name>frontend user</display-name>
<web-resource-collection>
<web-resource-name>User Pages</web-resource-name>
<description/>
<url-pattern>/user/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<description/>
<role-name>SOLIDWORKS</role-name>
</auth-constraint>
<auth-constraint>
<description/>
<role-name>CR8000</role-name>
</auth-constraint>
</security-constraint>
<!--Defines Login Config -->
<login-config>
<auth-method>FORM</auth-method>
<realm-name>file</realm-name>
<form-login-config>
<form-login-page>/login.jsp</form-login-page>
<form-error-page>/error.jsp</form-error-page>
</form-login-config>
</login-config>
<!--Defines Security Role -->
<security-role>
<description/>
<role-name>admin</role-name>
</security-role>
<security-role>
<description/>
<role-name>SOLIDWORKS</role-name>
</security-role>
<security-role>
<description/>
<role-name>CR8000</role-name>
</security-role>
</web-app>
context.xml
<Context>
<!-- Default set of monitored resources. If one of these changes, the -->
<!-- web application will be reloaded. -->
<WatchedResource>WEB-INF/web.xml</WatchedResource>
<WatchedResource>WEB-INF/tomcat-web.xml</WatchedResource>
<WatchedResource>${catalina.base}/conf/web.xml</WatchedResource>
<ResourceLink name="UserDatabase" global="UserDatabase" type="org.apache.catalina.UserDatabase" />
</Context>
tomcat-users.xml
<?xml version="1.0" encoding="UTF-8"?>
<tomcat-users xmlns="http://tomcat.apache.org/xml"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://tomcat.apache.org/xml tomcat-users.xsd"
version="1.0">
<role rolename="admin"/>
<role rolename="CR8000"/>
<role rolename="SOLIDWORKS"/>
<user username="admin" password="password" roles="admin,CR8000,SOLIDWORKS"/>
<user username="testSolid" password="password" roles="SOLIDWORKS"/>
<user username="testZuken" password="password" roles="CR8000"/>
</tomcat-users>
领域配置
<Realm className="org.apache.catalina.realm.LockOutRealm">
<Realm className="org.apache.catalina.realm.UserDatabaseRealm" resourceName="UserDatabase"/>
</Realm>
用这个方法后报错
@GET
@Path("/tomcat/user")
@Produces(MediaType.APPLICATION_JSON)
public ArrayList<TomcatUser> getTomcatUser() {
getLogWriter().writeLog("GET call on /tomcat/user");
ArrayList<TomcatUser> tomcatUsers = new ArrayList<TomcatUser>();
try {
UserDatabase ud = (UserDatabase) new InitialContext().lookup("java:comp/env/UserDatabase");
ud.open();
Iterator<org.apache.catalina.User> iteratorUsers = ud.getUsers();
while (iteratorUsers.hasNext()) {
org.apache.catalina.User user = iteratorUsers.next();
TomcatUser tmpTomcatUser = new TomcatUser();
String username = user.getUsername();
Iterator<Role> iteratorRoles = user.getRoles();
ArrayList<Role> roles = new ArrayList<Role>();
// Change from Iterator to ArrayList
iteratorRoles.forEachRemaining(roles::add);
ArrayList<String> strRoles = new ArrayList<String>();
for (int x = 0; x < roles.size(); x++) {
strRoles.add(roles.get(x).getRolename());
}
tmpTomcatUser.setUsername(username);
tmpTomcatUser.setRoles(strRoles);
tomcatUsers.add(tmpTomcatUser);
tmpTomcatUser = null;
}
ud.close();
} catch (Exception e) {
e.printStackTrace();
}
return tomcatUsers;
}
这看起来像 tomcat 中的 roles 问题。您可以使用以下配置来允许所有角色。
<role-name>*</role-name>
根据问题默认设置,tomcat-user.xml 文件在基本身份验证下运行良好。您在使用 how to programmatically add users to tomcat UserDatabaseRealm? 后面临角色问题。是真的吗?如果是,那么我认为您还需要以编程方式传递角色。
我在我的servlet中发现了两个问题来解决问题:
- 我从
UserDatabase 中删除了方法调用 .open()
- 我必须 return 一个字符串而不是
TomcatUser 对象。对于 return 字符串,我使用 Gson 将我的对象格式化为 JSON 字符串。
所以这是我最后的 servlet 方法:
@GET
@Path("/tomcat/user")
@Produces(MediaType.APPLICATION_JSON)
public String getTomcatUser() {
getLogWriter().writeLog("GET call on /tomcat/user");
ArrayList<TomcatUser> tomcatUsers = new ArrayList<TomcatUser>();
try {
UserDatabase ud = (UserDatabase) new InitialContext().lookup("java:comp/env/UserDatabase");
Iterator<org.apache.catalina.User> iteratorUsers = ud.getUsers();
while (iteratorUsers.hasNext()) {
org.apache.catalina.User user = iteratorUsers.next();
System.out.println(user.getUsername());
TomcatUser tmpTomcatUser = new TomcatUser();
String username = user.getUsername();
Iterator<Role> iteratorRoles = user.getRoles();
ArrayList<String> strRoles = new ArrayList<String>();
while (iteratorRoles.hasNext()) {
Role role = iteratorRoles.next();
strRoles.add(role.getRolename());
}
tmpTomcatUser.setUsername(username);
tmpTomcatUser.setRoles(strRoles);
tomcatUsers.add(tmpTomcatUser);
tmpTomcatUser = null;
}
} catch (Exception e) {
e.printStackTrace();
}
return new Gson().toJson(tomcatUsers);
}
问题:
添加 Tomcat ResourceLink <ResourceLink name="UserDatabase" global="UserDatabase" type="org.apache.catalina.UserDatabase"/> 后,我的身份验证被破坏了。我可以登录并执行 REST CALL,让我从 tomcat-users.xml 获取所有用户。然后我重新加载页面,出现 403 - Forbidden 错误。
我有两个 Web 应用程序。一个是从数据库(后端)获取数据的 REST API,另一个 Web 应用程序用于管理数据库(前端)。
所以我为我的前端应用程序添加了一个 FORM 身份验证,为我的后端添加了一个 BASIC 身份验证。用户存储在 tomcat-users.xml 文件中 -> 一切正常
现在我想用 frontend/backend 以编程方式编辑 tomcat-users,我发现了这个 how to programmatically add users to tomcat UserDatabaseRealm?
我将 link 中的代码添加到我的 REST API 中,然后调用 URL /api/admin/tomcat/user 我得到了所有用户和用户角色。但是在这个页面上调用一次之后,我总是得到一个 403 - Forbidden 错误!
如果我不执行 REST CALL 或只是删除 ResourceLink,问题就不会发生。
代码/错误
(看Tomcat日志最后两行,为什么第一次找到角色,第二次找不到?)
Tomcat 日志:
登录成功/第一次调用页面后的日志:
[http-nio-8080-exec-8] org.apache.catalina.authenticator.AuthenticatorBase.invoke Security checking request GET /es_admin/admin/setting.jsp
[http-nio-8080-exec-8] org.apache.catalina.authenticator.AuthenticatorBase.invoke We have cached auth type FORM for principal GenericPrincipal[admin(CR8000,SOLIDWORKS,admin,)]
[http-nio-8080-exec-8] org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking constraint 'SecurityConstraint[Adminstrative Pages]' against GET /admin/setting.jsp --> true
[http-nio-8080-exec-8] org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking constraint 'SecurityConstraint[User Pages]' against GET /admin/setting.jsp --> false
[http-nio-8080-exec-8] org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking constraint 'SecurityConstraint[Adminstrative Pages]' against GET /admin/setting.jsp --> true
[http-nio-8080-exec-8] org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking constraint 'SecurityConstraint[User Pages]' against GET /admin/setting.jsp --> false
[http-nio-8080-exec-8] org.apache.catalina.authenticator.AuthenticatorBase.invoke Calling hasUserDataPermission()
[http-nio-8080-exec-8] org.apache.catalina.realm.RealmBase.hasUserDataPermission User data constraint has no restrictions
[http-nio-8080-exec-8] org.apache.catalina.authenticator.AuthenticatorBase.invoke Calling authenticate()
[http-nio-8080-exec-8] org.apache.catalina.authenticator.AuthenticatorBase.checkForCachedAuthentication Bereits authentifiziert [admin]
[http-nio-8080-exec-8] org.apache.catalina.authenticator.AuthenticatorBase.invoke Calling accessControl()
[http-nio-8080-exec-8] org.apache.catalina.realm.RealmBase.hasResourcePermission Checking roles GenericPrincipal[admin(CR8000,SOLIDWORKS,admin,)]
[http-nio-8080-exec-8] org.apache.catalina.realm.RealmBase.hasResourcePermission Role found: admin
[http-nio-8080-exec-8] org.apache.catalina.authenticator.AuthenticatorBase.invoke Successfully passed all security constraints
重新加载页面或切换到另一个页面后的日志:
[http-nio-8080-exec-15] org.apache.catalina.authenticator.AuthenticatorBase.invoke Security checking request GET /es_admin/admin/setting.jsp
[http-nio-8080-exec-15] org.apache.catalina.authenticator.AuthenticatorBase.invoke We have cached auth type FORM for principal GenericPrincipal[admin(CR8000,SOLIDWORKS,admin,)]
[http-nio-8080-exec-15] org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking constraint 'SecurityConstraint[User Pages]' against GET /admin/setting.jsp --> false
[http-nio-8080-exec-15] org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking constraint 'SecurityConstraint[Adminstrative Pages]' against GET /admin/setting.jsp --> true
[http-nio-8080-exec-15] org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking constraint 'SecurityConstraint[User Pages]' against GET /admin/setting.jsp --> false
[http-nio-8080-exec-15] org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking constraint 'SecurityConstraint[Adminstrative Pages]' against GET /admin/setting.jsp --> true
[http-nio-8080-exec-15] org.apache.catalina.authenticator.AuthenticatorBase.invoke Calling hasUserDataPermission()
[http-nio-8080-exec-15] org.apache.catalina.realm.RealmBase.hasUserDataPermission User data constraint has no restrictions
[http-nio-8080-exec-15] org.apache.catalina.authenticator.AuthenticatorBase.invoke Calling authenticate()
[http-nio-8080-exec-15] org.apache.catalina.authenticator.AuthenticatorBase.checkForCachedAuthentication Bereits authentifiziert [admin]
[http-nio-8080-exec-15] org.apache.catalina.authenticator.AuthenticatorBase.invoke Calling accessControl()
[http-nio-8080-exec-15] org.apache.catalina.realm.RealmBase.hasResourcePermission Checking roles GenericPrincipal[admin(CR8000,SOLIDWORKS,admin,)]
[http-nio-8080-exec-15] org.apache.catalina.realm.RealmBase.hasResourcePermission No role found: admin
[http-nio-8080-exec-15] org.apache.catalina.authenticator.AuthenticatorBase.invoke Failed accessControl() test
web.xml - 前端
<!DOCTYPE web-app PUBLIC
"-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN"
"http://java.sun.com/dtd/web-app_2_3.dtd" >
<web-app>
<display-name>frontend</display-name>
<welcome-file-list>
<welcome-file>login.jsp</welcome-file>
</welcome-file-list>
<!--Defines Security Constraint -->
<security-constraint>
<display-name>frontend admin</display-name>
<web-resource-collection>
<web-resource-name>Adminstrative Pages</web-resource-name>
<description/>
<url-pattern>/admin/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<description/>
<role-name>admin</role-name>
</auth-constraint>
</security-constraint>
<security-constraint>
<display-name>frontend user</display-name>
<web-resource-collection>
<web-resource-name>User Pages</web-resource-name>
<description/>
<url-pattern>/user/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<description/>
<role-name>SOLIDWORKS</role-name>
</auth-constraint>
<auth-constraint>
<description/>
<role-name>CR8000</role-name>
</auth-constraint>
</security-constraint>
<!--Defines Login Config -->
<login-config>
<auth-method>FORM</auth-method>
<realm-name>file</realm-name>
<form-login-config>
<form-login-page>/login.jsp</form-login-page>
<form-error-page>/error.jsp</form-error-page>
</form-login-config>
</login-config>
<!--Defines Security Role -->
<security-role>
<description/>
<role-name>admin</role-name>
</security-role>
<security-role>
<description/>
<role-name>SOLIDWORKS</role-name>
</security-role>
<security-role>
<description/>
<role-name>CR8000</role-name>
</security-role>
</web-app>
context.xml
<Context>
<!-- Default set of monitored resources. If one of these changes, the -->
<!-- web application will be reloaded. -->
<WatchedResource>WEB-INF/web.xml</WatchedResource>
<WatchedResource>WEB-INF/tomcat-web.xml</WatchedResource>
<WatchedResource>${catalina.base}/conf/web.xml</WatchedResource>
<ResourceLink name="UserDatabase" global="UserDatabase" type="org.apache.catalina.UserDatabase" />
</Context>
tomcat-users.xml
<?xml version="1.0" encoding="UTF-8"?>
<tomcat-users xmlns="http://tomcat.apache.org/xml"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://tomcat.apache.org/xml tomcat-users.xsd"
version="1.0">
<role rolename="admin"/>
<role rolename="CR8000"/>
<role rolename="SOLIDWORKS"/>
<user username="admin" password="password" roles="admin,CR8000,SOLIDWORKS"/>
<user username="testSolid" password="password" roles="SOLIDWORKS"/>
<user username="testZuken" password="password" roles="CR8000"/>
</tomcat-users>
领域配置
<Realm className="org.apache.catalina.realm.LockOutRealm">
<Realm className="org.apache.catalina.realm.UserDatabaseRealm" resourceName="UserDatabase"/>
</Realm>
用这个方法后报错
@GET
@Path("/tomcat/user")
@Produces(MediaType.APPLICATION_JSON)
public ArrayList<TomcatUser> getTomcatUser() {
getLogWriter().writeLog("GET call on /tomcat/user");
ArrayList<TomcatUser> tomcatUsers = new ArrayList<TomcatUser>();
try {
UserDatabase ud = (UserDatabase) new InitialContext().lookup("java:comp/env/UserDatabase");
ud.open();
Iterator<org.apache.catalina.User> iteratorUsers = ud.getUsers();
while (iteratorUsers.hasNext()) {
org.apache.catalina.User user = iteratorUsers.next();
TomcatUser tmpTomcatUser = new TomcatUser();
String username = user.getUsername();
Iterator<Role> iteratorRoles = user.getRoles();
ArrayList<Role> roles = new ArrayList<Role>();
// Change from Iterator to ArrayList
iteratorRoles.forEachRemaining(roles::add);
ArrayList<String> strRoles = new ArrayList<String>();
for (int x = 0; x < roles.size(); x++) {
strRoles.add(roles.get(x).getRolename());
}
tmpTomcatUser.setUsername(username);
tmpTomcatUser.setRoles(strRoles);
tomcatUsers.add(tmpTomcatUser);
tmpTomcatUser = null;
}
ud.close();
} catch (Exception e) {
e.printStackTrace();
}
return tomcatUsers;
}
这看起来像 tomcat 中的 roles 问题。您可以使用以下配置来允许所有角色。
<role-name>*</role-name>
根据问题默认设置,tomcat-user.xml 文件在基本身份验证下运行良好。您在使用 how to programmatically add users to tomcat UserDatabaseRealm? 后面临角色问题。是真的吗?如果是,那么我认为您还需要以编程方式传递角色。
我在我的servlet中发现了两个问题来解决问题:
- 我从
UserDatabase 中删除了方法调用 - 我必须 return 一个字符串而不是
TomcatUser对象。对于 return 字符串,我使用 Gson 将我的对象格式化为 JSON 字符串。
.open()
所以这是我最后的 servlet 方法:
@GET
@Path("/tomcat/user")
@Produces(MediaType.APPLICATION_JSON)
public String getTomcatUser() {
getLogWriter().writeLog("GET call on /tomcat/user");
ArrayList<TomcatUser> tomcatUsers = new ArrayList<TomcatUser>();
try {
UserDatabase ud = (UserDatabase) new InitialContext().lookup("java:comp/env/UserDatabase");
Iterator<org.apache.catalina.User> iteratorUsers = ud.getUsers();
while (iteratorUsers.hasNext()) {
org.apache.catalina.User user = iteratorUsers.next();
System.out.println(user.getUsername());
TomcatUser tmpTomcatUser = new TomcatUser();
String username = user.getUsername();
Iterator<Role> iteratorRoles = user.getRoles();
ArrayList<String> strRoles = new ArrayList<String>();
while (iteratorRoles.hasNext()) {
Role role = iteratorRoles.next();
strRoles.add(role.getRolename());
}
tmpTomcatUser.setUsername(username);
tmpTomcatUser.setRoles(strRoles);
tomcatUsers.add(tmpTomcatUser);
tmpTomcatUser = null;
}
} catch (Exception e) {
e.printStackTrace();
}
return new Gson().toJson(tomcatUsers);
}