仅将JSP/Servlet访问限制为特定用户 [英] Restrict JSP/Servlet access to specific users only

问题描述

我正在开发一个Web应用程序.我希望能够让一些朋友看到它，但不能让其他偶然发现该URL的朋友看到​​它.我打算放一个登录页面，然后放一个简单的密码框.输入正确的密码后，我将其记录在会话中，并在其余时间保持浏览器打开的情况下照常公开该网站.

I'm developing a web app. I'd like to be able to let some friends see it, but not others that stumble upon the url. I was going to put a landing page and then a simple password box. Once the correct password is entered, I'd just record it in the session and expose the site as usual for the rest of the time they keep the browser open.

是否有标准方法可以做到这一点?我会在我的web应用程序中添加额外的代码来支持此操作，但是我不确定是否已经有内置的方法(我正在使用Java servlet).

Is there a standard way to do this? I'd be adding extra code to my webapp to support this, I'm not sure if there's a built-in way to do it already (I'm using java servlets).

谢谢

推荐答案

您可以使用

You can use container managed authentication using deployment descriptors. This requires no extra code in your side expect of a simple login form with an input and password field which submits to the URL j_security_check. Here's a basic example:

<form action="j_security_check" method="post">
    <input type="text" name="j_username">
    <input type="password" name="j_password">
    <input type="submit">
</form>

假设您在名为/private的文件夹中有私人页面，并且上面的登录页面位于/private/login.jsp中，然后将以下条目添加到Webapp的web.xml中:

Assuming that you've private pages in a folder named /private and the above login page is located in /private/login.jsp, then add the following entries to the webapp's web.xml:

<security-constraint>
    <web-resource-collection>
        <web-resource-name>Private</web-resource-name>
        <url-pattern>/private/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
        <role-name>friends</role-name>
    </auth-constraint>
</security-constraint>

<login-config>
    <auth-method>FORM</auth-method>
    <realm-name>Private</realm-name>
    <form-login-config>
        <form-login-page>/private/login.jsp</form-login-page>
        <form-error-page>/private/error.jsp</form-error-page>
    </form-login-config>
</login-config>

然后，在您使用的servlet容器中，需要为Private配置一个所谓的 Realm .由于不清楚您使用的是哪个servlet容器，因此下面是针对Tomcat 8.0的文档: Realm Configuration HOW-TO .您可以对其进行配置，以针对XML文件或数据库甚至是自定义位置来验证用户名/密码组合.

Then, in the servletcontainer which you're using you need to configure a so-called Realm for Private. Since it's unclear which servletcontainer you're using, here's a Tomcat 8.0 targeted document: Realm Configuration HOW-TO. You can configure it to verify the username/password combo against a XML file or a database or even a custom location.

一种完全不同的替代方法是在Filter的帮助下在本地扩展登录机制，该机制将检查会话范围内已登录用户的存在.参见此和此回答如何实现此目标.

A completely different alternative is to homegrow a login mechanism with help of a Filter which checks the presence of the logged-in user in the session scope. See this and this answer how to achieve this.

这篇关于仅将JSP/Servlet访问限制为特定用户的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！