我用Java编写了一个RESTful API,我希望用HTTP-Auth来保护它。我知道这不是很安全,但在我集成SSL并希望HTTP-Auth工作之前。我正在使用Tomcat,Jersey和Jax-WS。这个我插入到我的web.xml(在Servlet配置下):
[...]
</servlet-mapping>
<security-constraint>
<web-resource-collection>
<web-resource-name>Orders</web-resource-name>
<url-pattern>/orders</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>admin</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<!-- <realm-name>default</realm-name> -->
</login-config>
<security-role>
<role-name>admin</role-name>
<role-name>converter-api</role-name>
</security-role>
这是在Java代码中:
@GET @Produces("text/xml") @Path("/{partNO}/") @Consumes("text/xml")
public PartNoTemplate getPartNoResponse(@PathParam("partNO") String parID,
@Context SecurityContext parSecurityContext) throws WebApplicationException, UnsupportedEncodingException {
// Check Authorisation
checkAuthentication(parSecurityContext);
[...]
}
方法:
private void checkAuthentication(SecurityContext parSecurityContext) throws WebApplicationException {
Boolean isAuth = false;
for(String role: allowedRoles) {
if(parSecurityContext.isUserInRole(role)) {
isAuth = true;
}
}
if(!isAuth) {
throw new WebApplicationException(Response.Status.FORBIDDEN);
}
}
但是当我访问/ TNR / 1234时,我只得到403错误并且没有登录字段。我在tomcat配置文件tomcat_users.xml中配置了用户(在/web/WEB_INF/tomcat_users.xml中的Tomcat安装文件夹和IDE中:
<user username="maxi" password="1234" roles="admin, manager-gui, converter-api" />
我做错了什么?如果这很重要,我正在使用Tomcat 6!