如何修复Tomcat对已被拒绝的请求资源的访问?

时间:2013-08-21 01:40:57

标签: servlets tomcat7 http-status-code-403 security-constraint

更新:完全删除<auth-constraint>元素后,代码可以正常运行。任何人都可以解释为什么它出现时不起作用?

我正在编写一些代码来练习在部署描述符中保护servlet,我在浏览器中获得以下内容:

HTTP Status 403 - Access to the requested resource has been denied
type Status report
message Access to the requested resource has been denied
description Access to the specified resource has been forbidden.
Apache Tomcat/7.0.42

关于我做错了什么的想法?我已经对之前的帖子进行了一些搜索,似乎Tomcat 7中的角色名称可能已经更新 - 我已经玩过这个,但到目前为止还没有成功。 (以下代码)。

的web.xml

<?xml version="1.0" ?>
<web-app version="2.4" xmlns="http://java.sun.com/xml/ns/j2ee" 
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee    
http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd">

<servlet>
    <servlet-name>CheckedServlet</servlet-name>
    <servlet-class>webcert.ch05.ex0502J.CheckedServlet</servlet-class>
    <security-role-ref>
        <role-name>MGR</role-name>
        <role-link>manager</role-link>
    </security-role-ref>
</servlet>
<servlet-mapping>
    <servlet-name>CheckedServlet</servlet-name>
    <url-pattern>/CheckedServlet</url-pattern>
</servlet-mapping>
<security-constraint>
    <web-resource-collection>
        <web-resource-name>CheckedServletConstraint</web-resource-name>
        <url-pattern>/CheckedServlet</url-pattern>
    </web-resource-collection>
    <auth-constraint>
        <role-name>*</role-name>
    </auth-constraint>
</security-constraint>
<security-role>
    <role-name>manager</role-name>
</security-role>

CheckedServlet.java

package webcert.ch05.ex0502J;
import java.io.*;
import javax.servlet.*;
import javax.servlet.http.*;
import java.security.*;

public class CheckedServlet extends HttpServlet{

protected void doPost(HttpServletRequest request, HttpServletResponse response) 
        throws ServletException, IOException {
    doGet(request, response);
}
protected void doGet(HttpServletRequest request, HttpServletResponse response)
        throws ServletException, IOException{

    response.setContentType("text/html");
    PrintWriter out = response.getWriter();
    out.write("<html><head><title>CheckedServlet</title></head><body>");

    String userMessage;
    Principal user = request.getUserPrincipal();
    if(user == null)
        userMessage = "Access denied.";
    else
        userMessage = "Access granted.";

    out.write("<br>" + userMessage + " Principal name is " + user +
              "<br>If authorized, you should see some more text below:");

    if(request.isUserInRole("manager"))
        out.write("<br>Here's some super secret extra text since your " +
                "role is manager.");

    out.write("</body></html>");
    out.flush();
    out.close();
}
}

3 个答案:

答案 0 :(得分:4)

如果为Web应用程序启用安全性(正如您通过向web.xml添加<security-constraint>子句所做的那样),则还需要在tomcat-user.xml中定义相应的用户/角色/密码。此文件通常位于tomcat安装的conf文件夹中。以下是可以添加到安装的tomcat-user.xml文件的示例行:

<role rolename="MGR"/>  
<user password="mypassword" roles="MGR" username="user1"/>
<user password="mypassword2" roles="MGR" username="user2"/>

现在,当您访问应用程序时,应用程序将提示您使用HTTP Basic Auth输入用户ID /密码,而不是获取状态403错误消息。如果您使用上述用户标识之一,则应该能够成功登录。

答案 1 :(得分:2)

您需要在web.xml中添加以下内容:

<login-config>
  <auth-method>BASIC</auth-method>
</login-config>

然后您还可以编辑tomcat-user.xml以添加角色和用户名。在这些之后重新部署应用程序,这个问题就应该消失了。

答案 2 :(得分:0)

来自其他成员的两个评论是正确的。要总结添加角色,登录配置和tomcat的相应用户配置的要点,您可以查看这篇文章:

How to fix Tomcat HTTP Status 403: Access to the requested resource has been denied?