J2EE安全之Http基本验证

http基本验证也是常用保障j2ee程序安全的重要验证方式之一.

下面小结一下.

以tomcat的admin角色为例.

tomcat-users.xml代码如下:

<?xml version='1.0' encoding='utf-8'?>

<tomcat-users>

<role rolename="tomcat"/>

<role rolename="role1"/>

<role rolename="manager"/>

<role rolename="admin"/>

<user username="tomcat" password="tomcat" roles="tomcat"/>

<user username="role1" password="tomcat" roles="role1"/>

<user username="both" password="tomcat" roles="tomcat,role1"/>

<user username="admin" password="admin" roles="admin,manager"/>

</tomcat-users>

若想将web项目中的/root目录下的资源只对admin角色开放.可如下配置项目的web.xml文件

<security-constraint>

<web-resource-collection>

<web-resource-name>zgx</web-resource-name>

<url-pattern>/root/*</url-pattern>

<http-method>POST</http-method>

<http-method>GET</http-method>

</web-resource-collection>

<auth-constraint>

<role-name>admin</role-name>

</auth-constraint>

<user-data-constraint>

<transport-guarantee>NONE</transport-guarantee>

</user-data-constraint>

</security-constraint>

<security-role>

<role-name>admin</role-name>

</security-role>

<login-config>

<auth-method>BASIC</auth-method>

<realm-name>zgx</realm-name>

</login-config>

这样,访问/root目录下的文件时,需要提供admin用户名和密码.