将具有自定义领域的Web应用程序部署到Tomcat 6之后的HTTP状态404 [英] HTTP Status 404 after deploying a web application with a custom realm to Tomcat 6

问题描述

我为Tomcat 6开发了一个Web应用程序，面对一个我不知道如何解决的问题.让我们考虑以下小场景.想象一下，不仅需要通过用户名和密码对用户进行身份验证，而且只有在某些其他条件为真(例如，用户名，密码和他的IP地址匹配)的情况下，才可以授予身份验证.据我了解，Tomcat引入了领域的概念.对于应用程序来说，一个简单的JDBCRealm就足够了，因为仅在此之前检查用户和密码对.现在也需要检查IP地址.我编写了一个简单的测试类，扩展了JDBCRealm类:

package security;

import org.apache.catalina.realm.JDBCRealm;
import org.apache.log4j.Logger;

import java.security.Principal;
import java.sql.Connection;

public class ApplicationRealm extends JDBCRealm {

    protected final Logger logger = Logger.getLogger(this.getClass());

    @Override
    public synchronized Principal authenticate(Connection connection, String userName, String credentials) {
        logger.info("custom realm test, the authentication will be failed just for testing");
        return null;
    }

}

然后我尝试使用context.xml绑定该领域类:

<?xml version="1.0" encoding="UTF-8"?>
<Context>
    <Realm className="security.ApplicationRealm" connectionName="${user}" connectionPassword="${password}"
        connectionURL="${url}${database}" debug="99" driverName="${driver}" roleNameCol="role" userCredCol="pw"
        userNameCol="login" userRoleTable="users_roles" userTable="users"/>
</Context>

Web应用程序的部署成功，但是当我尝试访问登录页面时，Tomcat返回了404页面(我怀疑问题的根源是Realm节点中的className属性):

HTTP Status 404 -
type Status report
message
description The requested resource () is not available.
Apache Tomcat/6.0.24

如何绑定context.xml中的自定义JDBCRealm后代?尝试为此使用JDBCRealm可能完全错误，但无论如何我都看不到正确的解决方案.

谢谢.

解决方案

不正确的领域部署是导致此问题的原因.此外，自定义领域在这里不适合.检查IP地址的最佳方法是编写可访问HTTP请求的自定义表单身份验证器.更改web.xml中的表单身份验证器，然后部署它，完全可以满足我的需要.它还消除了对每个请求检查IP地址的要求，因为安全资源被隐藏在授权墙"的后面-这意味着如果授权被授予，这也意味着IP是有效的.感谢JoseK指出了一个好的解决方案.我只是对Tomcat中的领域的概念感到困惑.

I develop a web application for Tomcat 6, and I'm face to face with a problem I don't know how to resolve. Let's consider the following small scenario. Imagine that it's required to authenticate users not just by user and password, the authentication is only granted if some extra conditions are true (e.g. user, password, and his IP address matches). As far I understood, Tomcat introduced the concept of realms. A simple JDBCRealm was enough for the application, because the user and password pair was checked only until the moment. Now it's required to check the IP address too. I have written a simple test class that extends the JDBCRealm class:

package security;

import org.apache.catalina.realm.JDBCRealm;
import org.apache.log4j.Logger;

import java.security.Principal;
import java.sql.Connection;

public class ApplicationRealm extends JDBCRealm {

    protected final Logger logger = Logger.getLogger(this.getClass());

    @Override
    public synchronized Principal authenticate(Connection connection, String userName, String credentials) {
        logger.info("custom realm test, the authentication will be failed just for testing");
        return null;
    }

}

And then I have tried to bind this realm class using the context.xml:

<?xml version="1.0" encoding="UTF-8"?>
<Context>
    <Realm className="security.ApplicationRealm" connectionName="${user}" connectionPassword="${password}"
        connectionURL="${url}${database}" debug="99" driverName="${driver}" roleNameCol="role" userCredCol="pw"
        userNameCol="login" userRoleTable="users_roles" userTable="users"/>
</Context>

The deployment of the web application succeeds, but when I try to access the login page, Tomcat returns a 404 page (I suspect the root of the problem is the className attribute in the Realm node):

HTTP Status 404 -
type Status report
message
description The requested resource () is not available.
Apache Tomcat/6.0.24

How can I bind a custom JDBCRealm descendant in context.xml? Maybe I'm totally wrong trying to use the JDBCRealm for this, but I can't see the correct solution anyway.

Thanks in advance.

解决方案

Incorrect deployment of the realm was the cause of the problem. Moreover, a custom realm is not suitable here. The best way of checking the IP-address is writing a custom form authenticator that have access to the HTTP request. Changing the form authenticator in the web.xml, and deploying it allowed exactly what I needed. It also eliminates the requirement to check IP-address on every request, because secure resources are hidden behind the authorization "wall" - this means if the authorization is granted, it also means that the IP was valid. Thanks to JoseK for pointing a good solution. I was just confused a little with the concept of realms in Tomcat.

这篇关于将具有自定义领域的Web应用程序部署到Tomcat 6之后的HTTP状态404的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！