定义< security-constraint>在web.xml之外(例如,服务器范围内) [英] Define a <security-constraint> outside of web.xml (e.g. server-wide)
问题描述
我想对部署在Tomcat7服务器上的所有Web应用程序应用安全性约束.为此,我设置了一个领域和阀门.我的理解是,context.xml的内容包含在部署到服务器的所有应用程序中-该部分似乎可以正常工作,因为我可以添加所有配置方式,并且可以看到将其包含在各种已部署应用程序上下文中的效果.它对于在Web应用程序之间加强一致性起到了很好的作用.
I would like to apply security constraints for all webapps deployed on a Tomcat7 server. To do this I have set up a Realm and Valve. My understanding is that the contents of context.xml get included for all apps deployed to a server - that part seems to work as I can add all manner of configuration and I see the effects as it gets included in the various deployed app contexts. It works wonderfully for enforcing consistency across web apps.
似乎没有用的是试图定义一种安全约束,如web.xml之外的以下约束:
What doesn't seem to work is trying to define a security-constraint like the one below outside of web.xml:
<security-constraint>
<web-resource-collection>
<web-resource-name>myServletWAR</web-resource-name>
<url-pattern>*.jsp</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>my_role</role-name>
</auth-constraint>
</security-constraint>
我正在Context标记之间的context.xml中执行此操作.没有来自Tomcat的投诉,但没有应用安全限制,例如,我可以不输入密码即可访问该应用程序.有了以上context.xml中的约束,我看到了:
I'm doing it in context.xml between the Context tags. No complaints from Tomcat, but no security constraint is applied, e.g I can hit the app without a password. With the constraint above in context.xml I see:
Aug 14, 2013 3:03:32 PM org.apache.catalina.authenticator.AuthenticatorBase invoke
FINE: Not subject to any constraint
...在日志中,并且无需身份验证即可访问受保护"资源.
...in the logs, and can get to the "protected" resource with no auth.
向Web应用程序的web.xml移动相同的约束当然会产生预期的约束行为,但是我需要确保该约束在给定服务器上的所有已部署应用程序中一致地应用.
Moving the same constraint to a webapps's web.xml, of course, yields the expected constraint behaviour, but I need to ensure the constraint is applied consistently across all deployed apps on a given server.
是否需要将安全性约束 置于网络应用程序内部?如果可以,如何不在context.xml中跨多个(已部署的)Web应用程序定义安全约束?
Does security-constraint need to be inside of a web-app? If it does how can I define a security-constraint across several (as yet deployed) web-apps if not in context.xml?
这正是我要设置的,但是我想要在web.xml外部(上方)实施约束.再次,以便整个服务器保持一致.
This is exactly what I am trying to set up, but I want to enforce the constraint outside (above) web.xml. Again, so that it will be consistent for the entire server.
我确实看到了另一个类似的问题,但是我试图找到一种在Tomcat配置中执行此操作的方法,而不必使用代码库(已编写的)中的Servlet API.
I did see another similar question, but I'm trying to find a way to do this in Tomcat configuration without having to use the Servlet API from the code base (that is already written).
谢谢!
推荐答案
发布问题后的第二个我意识到:
The second after I posted my question I realized that:
$CATALINA_BASE/conf/web.xml是我想要的答案.
正如人们所期望的那样,它是Web应用程序的根元素,并且内容被添加到每个已部署的Web应用程序中(如每个上下文的context.xml),并添加了security-constraint起作用.
It's root element, as one would expect, is web-app, and the contents get added to each deployed web app (like context.xml for each context) adding the security-constraint worked.
我确实必须重新启动Tomcat(显然它不会自动部署该文件中的更改),但这不是问题,因为这在生产中不应更改.
I did have to re-start Tomcat (it doesn't auto deploy for changes in that file apparently), but that is not an issue as this shouldn't change in production.
这篇关于定义< security-constraint>在web.xml之外(例如,服务器范围内)的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
