基本身份验证:是否可以像getRemoteUser()一样设置setRemoteUser [英] Basic Authentication : Is it possible to setRemoteUser like getRemoteUser()
问题描述
我正在使用基本身份验证方法来保护Webapp中的某些页面.具有指定的网址格式,如下所示:
Hi I am using basic authentication method for protecting some pages in my Webapp. Which have a specified url pattern as follows:
<url-pattern>/Important/*</url-pattern>
<auth-method>BASIC</auth-method>
现在的问题是,如果用户使用登录表单以正常方式登录.数据将发布到我的servlet中,该servlet会验证用户名和密码,然后继续进行操作.有没有一种我可以在此servlet中设置setRemoteUser的方法,因为一旦用户尝试访问Important文件夹中的页面,身份验证输入就会再次出现.有没有一种方法可以通知身份验证机制用户已经登录?
Now the problem is if the user logs in the normal way using a login form .The data is posted to my servlet which validates the username and password and then proceeds further. Is there a way that i could setRemoteUser in this servlet , because the authentication input appears again once the user tries to access pages in the Important folder. Is there a way that I could inform the authentication mechanism that the user has already signed in ?
推荐答案
这是不可能的.如果您实际上有用于登录的HTML <form>,则应将身份验证方法从BASIC更改为FORM.
This is not possible. If you have actually a HTML <form> for login, then you should change the authentication method from BASIC to FORM.
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/login.jsp</form-login-page>
<form-error-page>/error.jsp</form-error-page>
</form-login-config>
</login-config>
您还需要确保HTML <form>使用用户名和密码作为预定义参数j_username和j_password提交到预定义URL j_security_check.
You also need to make sure that your HTML <form> submits to the predefinied URL j_security_check with the username and password as predefinied parameters j_username and j_password.
<form action="j_security_check" method="post">
<input type="text" name="j_username" />
<input type="password" name="j_password" />
<input type="submit" value="login" />
</form>
这样,容器将以您所需的方式设置登录名,并且getRemoteUser()将提供用户名.此外,任何直接访问受限URL的未经身份验证的用户都将自动转发到登录页面.成功登录后,它将自动转发回最初请求的页面.
This way the container will set the login the way you need and the username will be available by getRemoteUser(). Also, any unauthenticated user who accesses the restricted URL directly will automatically be forwarded to the login page. On successful login, it will automatically be forwarded back to the initially requested page.
此外,当在Servlet 3.0兼容容器(Tomcat 7,Glassfish 3等)上使用FORM身份验证方法时,您将能够通过Servlet 3.0引入的
Also, when using FORM authentication method on a Servlet 3.0 compatible container (Tomcat 7, Glassfish 3, etc), you will be able to programmatically login the user by the Servlet 3.0 introduced HttpServletRequest#login() method in the servlet. This allows more finer grained control over the process and validation. This isn't possible with BASIC authentication.
BASIC身份验证是完全不同的事情.它显示了一个带有用户名/密码输入的裸露的JavaScript对话框.这不需要/不使用HTML <form>或其他东西.它还将身份验证信息存储在客户端,该身份验证信息将作为每个后续请求中的请求标头发送.它不像FORM身份验证那样在服务器端会话中存储身份验证信息.
The BASIC authentication is a completely different thing. It shows a bare JavaScript look-a-like dialog with username/password inputs. This doesn't require/use a HTML <form> or something. It also stores the authentication information in the client side which get sent as a request header on every single subsequent request. It doesn't store the authentication information in the server side session like as FORM authentication.
这篇关于基本身份验证:是否可以像getRemoteUser()一样设置setRemoteUser的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
