在tomcat中保护Web应用程序 [英] Secure web apps in tomcat

问题描述

我有一个在apache tomcat中运行的web应用程序，我使用j_security_check来保护这个应用程序。我的代码如下，

I have a web app which runs in apache tomcat, I have used "j_security_check" to protect this application. My code are as follows,

login.jsp

<div id="loginForm">
    <form id="loginfrm" method="post" action="j_security_check">
        <table>
            <tr>
                <td>User Name</td>
                <td><input type="text" id="name" name="j_username" size="20" /></td>
            </tr>
            <tr>
                <td>Password</td>
                <td><input type="password" id="phone" name="j_password" size="20" /></td>
            </tr>
            <tr>
                <td></td>
                <td align="right"><input type="submit" value="Login" id="submitButton"></td>
            </tr>
        </table>
    </form>    
</div>

web.xml

<web-app ...>
    <login-config>
        <auth-method>FORM</auth-method>
        <realm-name>Example Form-Based Authentication Area</realm-name>
        <form-login-config>
            <form-login-page>/success.jsp</form-login-page>
            <form-error-page>/error.jsp</form-error-page>
        </form-login-config>
    </login-config>
</web-app>

错误页面

<html>
    <head>
        <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
        <title>JSP Page</title>
    </head>
    <body>
        <h1>Login ERROR!</h1>
    </body>
</html>

成功页面

<html>
    <head>
        <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
        <title>JSP Page</title>
    </head>
    <body>
        <h1>Login Success</h1>
    </body>
</html>

这里当我提供错误的用户名和错误的密码时，错误页面显示成功，但是当我给出正确的密码和用户名显示，

Here when I give a wrong username and a wrong password, error page is showing successfully but when I give correct password and username it shows,

HTTP Status 400 - Invalid direct reference to form login page

type Status report

message Invalid direct reference to form login page

description The request sent by the client was syntactically incorrect (Invalid direct reference to form login page).
Apache Tomcat/7.0.22

请有人告诉我哪里错了？

please anyone could tell me where am I wrong?

推荐答案

行：

<form-login-page>/success.jsp</form-login-page>

在 web.xml 中应该是：

<form-login-page>/login.jsp</form-login-page>

这告诉tomcat无论何时到达受保护的页面，登录表单都位于的login.jsp 。缺少的是实际需要进行身份验证的受保护页面的定义：

This tells tomcat that whenever you reach a protected page the login form is locates in login.jsp. What is missing is the definition of the protected pages that actually need authentication to be seen:

<security-constraint>
  <web-resource-collection>
    <web-resource-name>
      Entire Application
    </web-resource-name>
    <url-pattern>/success.jsp</url-pattern>
  </web-resource-collection>
  <auth-constraint>
    <role-name> 'the name of the group with access' </role-name>
  </auth-constraint>
</security-constraint>

以及领域的定义，其中是您的用户名/密码对的存储库（ tomcat领域）。

And the definition of the realm, which is your repository for username / password pairs (tomcat realm).

当你点击 http：// localhost：8080 / succes.jsp 进行这些更改时，你应该被重定向到登录页面，并在一组有效的凭据发送到 /success.jsp 并且凭证不良到 /error.jsp 。

With these changes when you hit http://localhost:8080/succes.jsp you should be redirected to the login page, and upon a valid set of credentials be sent to /success.jsp and with a bad set of credentials to /error.jsp.

这篇关于在tomcat中保护Web应用程序的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！