我想让Tomcat控制身份验证。为了测试它,我创建了简单页面,登录页面和loginError页面。
身份验证似乎有效。当我输入错误的登录名或密码时,我会看到loginError页面。但是当我输入正确的登录名和密码时,我看到:
type Status report
message Access to the requested resource has been denied
description Access to the specified resource (Access to the requested resource has been denied) has been forbidden.
这是我的web.xml:
<?xml version="1.0" encoding="UTF-8"?>
<web-app version="2.5" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd">
<session-config>
<session-timeout>
30
</session-timeout>
</session-config>
<security-constraint>
<web-resource-collection>
<url-pattern>/protected.jsp</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/login.jsp</form-login-page>
<form-error-page>/loginError.jsp</form-error-page>
</form-login-config>
</login-config>
<welcome-file-list>
<welcome-file>index.jsp</welcome-file>
</welcome-file-list>
</web-app>
这是我的tomcat-users.xml
<tomcat-users>
<role rolename="tomcat"/>
<role rolename="admin"/>
<role rolename="manager"/>
<user password="tomcat" roles="tomcat,manager,admin" username="tomcat"/>
<user password="proger" roles="tomcat" username="proger"/>
</tomcat-users>
我的login.jsp看起来像:
<html>
<body>
<form id="loginForm" method="post" action="j_security_check">
<p>
Username: <input type="text" name="j_username" id="j_username" />
<br/>
Password: <input type="password" name="j_password" id="j_password" />
<br/>
<button type="submit">login</button>
</p>
</form>
</body>
</html>
我部署它使用NetBeans 6.9.1。我使用Tomcat 6.0.29。 有什么不对? 提前谢谢。
答案 0 :(得分:1)
使用
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
要求您还定义“有效”角色
<security-role>
<role-name>admin</role-name>
</security-role>
<security-role>
<role-name>user</role-name>
</security-role>
如果用户输入有效的姓名/通行证,但只是角色'dimwit',他们将被拒绝访问