Tomcat的安全访问 [英] Tomcat secure access
问题描述
我有两个Web服务(为MyService和MyProtectedService)。我希望两个相同的端口HTTPS,但只有保护之一的,将有客户端身份验证(clientAuth = TRUE)。
I have two Web Services (MyService and MyProtectedService). I want both going under the same port HTTPS but only the protected one to have client authentication (clientAuth=true).
所有的安全工作正常,但问题是,客户端验证为ON两种服务,不仅为保护之一。我想是删除客户端身份验证的其中之一,或者客户端验证也适用于其他只。
All the security is working fine, but the problem is that the client auth is ON for both services, not only for the protected one. What I would like is remove the client auth for one of them, or apply the client auth to the other only.
有没有人有任何提示?谢谢
Does anyone have any hint? Thanks
在web.xml中:
<security-constraint>
<web-resource-collection>
<web-resource-name>protected element</web-resource-name>
<description/>
<url-pattern>/MyProtectedService</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
更新:
我试图分裂两个约束的服务:
UPDATE: I tried to divide the service in two constrains:
<security-constraint>
<web-resource-collection>
<web-resource-name>OpenService</web-resource-name>
<description/>
<url-pattern>/OpenService</url-pattern>
</web-resource-collection>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>protected</web-resource-name>
<description/>
<url-pattern>/MyProtectedService</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
<login-config>
<auth-metod>CLIENT-CERT</auth-metod>
</login-config>
</security-constraint>
和在server.xml中ClientAuth =假的。
And have ClientAuth=false in server.xml.
但我可以没有任何客户端身份验证访问此:
的https:// MACHINE / MyProtectedService / MyProtectedService WSDL
But then I can access this without any client authentication: https://MACHINE/MyProtectedService/MyProtectedService?wsdl
推荐答案
的办法是有两个独立的的安全约束的即使一个为公众服务具有完全没有约束(既不是 AUTH-约束
,也不是用户数据约束
)。它假定两个服务具有不同的URL这是最有可能的情况:
The approach is to have two separate security constraints even though the one for the public service has no constraint at all (neither a auth-constraint
nor a user-data-constraint
). It assumes that the two service have different URLs which is most likely the case:
<security-role>
<role-name>ProtectedServiceRole</role-name>
</security-role>
<security-constraint>
<web-resource-collection>
<web-resource-name>Public Service</web-resource-name>
<url-pattern>/PublicService/*</url-pattern>
</web-resource-collection>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>Protected Service</web-resource-name>
<url-pattern>/ProtectedService/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
<auth-constraint>
<role-name>ProtectedServiceRole</role-name>
</auth-constraint>
</security-constraint>
在 AUTH-约束指定角色名
将触发认证。
更新:
我恐怕都无法正确读取你的问题,忽略了证书认证的一部分。虽然我已经在过去使用它,我从来没有您需要,所以我只能给一些选项你可以接着再试试混合设置:
I'm afraid I haven't properly read your question and overlooked the certificate authentication part. Though I have used it in the past, I never had the mixed setup you require so I can only give some options what you could try next:
目前您需要在传输层的认证。这是低层次,为时尚早。您是否尝试设置的 clientAuth 的到的假的,而是添加以下行到你的web.xml:
Currently you require the authentication on the transport level. That's to low-level and too early. Have you tried setting clientAuth to false and instead add the following lines to your web.xml:
<login-config>
<auth-method>CLIENT-CERT</auth-method>
</login-config>
另一种方法是使用两个不同的充端口的两个服务。对于这一点,你在server.xml定义两个不同的连接的
这篇关于Tomcat的安全访问的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!