如何在Apache Tomcat服务器上用密码保护HTTP Get Request？

Question

我想仅在用户正确提供HTTP请求标头中的用户名和密码时才向用户发送一些数据。

我尝试通过HttpServletReqest login（）方法执行此操作，但它没有工作。

这是我的服务器的doGet方法：

    protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
    // TODO Auto-generated method stub
    response.setContentType("application/json");
    PrintWriter out = response.getWriter();
    String token = "abcdef";
    request.login("User", "Pass");
    out.print("{\n\"Authentication Token\" : \"" + token + "\"\n}");

    out.flush();

}

以下是我发送的获取请求的标头（通过Google Chrome的Advanced Rest Client）

Authorization: Basic VXNlcjpQYXNz //"User" "Pass" converted to Base 64 by Advanced Rest Client

但它一直在抛出＆＃34;登录失败＆＃34; Servlet异常。

Answer 1

您需要在tomcat的tomcat-users.xml文件中配置用户和角色。 并在web.xml文件中配置URL以使用此身份验证。  给你下面的示例代码...

tomcat-users.xml file:

<?xml version='1.0' encoding='utf-8'?>
<tomcat-users>
  <role rolename="tomcat"/>
  <user username="tomcat" password="tomcat" roles="tomcat"/>
  <user username="myname" password="mypassword" roles="tomcat"/>
  <user username="test" password="test"/>
</tomcat-users>

web.xml file :

<?xml version="1.0" encoding="UTF-8"?>
<web-app id="tomcat-demo" version="2.4"
    xmlns="http://java.sun.com/xml/ns/j2ee"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd">
    <servlet>
        <servlet-name>TestServlet</servlet-name>
        <servlet-class>test.TestServlet</servlet-class>
    </servlet>
    <servlet-mapping>
        <servlet-name>TestServlet</servlet-name>
        <url-pattern>/test</url-pattern>
    </servlet-mapping>

    <security-constraint>
        <web-resource-collection>
            <web-resource-name>Wildcard means whole app requires authentication</web-resource-name>
            <url-pattern>/test</url-pattern>
            <http-method>GET</http-method>

        </web-resource-collection>
        <auth-constraint>
            <role-name>tomcat</role-name>
        </auth-constraint>

        <user-data-constraint>
            <!-- transport-guarantee can be CONFIDENTIAL, INTEGRAL, or NONE -->
            <transport-guarantee>NONE</transport-guarantee>
        </user-data-constraint>
    </security-constraint>

    <login-config>
        <auth-method>BASIC</auth-method>
    </login-config>

</web-app>