Tomcat 7-保护webapps文件夹下的文件夹 [英] Tomcat 7 - Secure a folder under webapps folder

问题描述

我的Web应用程序是"myweb"，在此Web应用程序中，我的代码引用了文件"文件夹下的"123.pdf"，例如http:// localhost :8080/files/123.pdf

My web application is 'myweb', within this web app my code refers '123.pdf' under 'files' folder like http://localhost:8080/files/123.pdf

   webapps  
   |  
   |--myweb  
   |  
   |--files  
       |  
       |--123.pdf  

当我尝试通过粘贴(http:// localhost :8080/files/123.pdf)直接访问时，我希望资源(123.pdf)仅对已登录的用户可用.浏览器地址栏，而无需登录门户网站，我可以访问该文件.

I want the resource (123.pdf) available only for logged in users, when I try to access directly by pasting (http://localhost:8080/files/123.pdf) in the browser address bar, without logging into the portal, I could access the file.

基本上，我想保护"webapps"下的文件"文件夹，以便只有门户网站中经过身份验证的用户才能访问文件"文件夹下的资源.我该如何实现?

Basically I want to secure the 'files' folder under 'webapps', so that only authenticated users in portal could access resources under 'files' folder. How can I achieve this?

推荐答案

我找到了解决此问题的方法.这就是我想出的，

I found a way to solve this problem. This is what I came up with,

1)将文件"文件夹转换为Web应用程序，并使用tomcat的文件保护文件(例如pdf)基于表单的身份验证

1) Convert 'files' folder to a web application and make files (say pdf) secured by using tomcat's FORM based authentication

2)获得"myweb"身份验证后-这里的身份验证不是基于tomcat容器，而是基于春天&休眠-

2) After getting authenticated to 'myweb' - here authentication is not tomcat container based, its based on spring & hibernate -

从"/myweb/customerhomepage.jsp"异步调用文件" Web应用程序中的servlet(PopulateServlet.java)，并将tomcat角色用户名&设置为在文件" Web应用程序会话中pwd

asynchronously invoke a servlet (PopulateServlet.java) in 'files' web app from '/myweb/customerhomepage.jsp' and set tomcat role username & pwd in 'files' web app session

每当文件" Web应用程序下有保护pdf的请求时，都会调用login.jsp-在此jsp中填充隐藏的j_username&j_password字段来自已经由PopulateServlet填充的会话对象.使用jquery ajax，将html表单提交给tomcat用于资源认证.

whenever there is a request to protected pdf under 'files' web app, login.jsp will be invoked - in this jsp populate hidden j_username & j_password fields from session object which was already populated by PopulateServlet. Using jquery ajax, the html form will be submitted to tomcat for resource authentication.

文件"网络应用更改:

创建新角色以及用户名和密码
/conf/tomcat-users.xml

Create new role and user name and password
/conf/tomcat-users.xml

    <role rolename="tomcat"/>
    <user username="tomcat" password="tomcat" roles="tomcat"/>

创建WEB-INF/web.xml

    <servlet>
    <servlet-name>Populate</servlet-name>
    <servlet-class>PopulateServlet</servlet-class>
    </servlet>
    <servlet-mapping>
    <servlet-name>Populate</servlet-name>
    <url-pattern>/Populate</url-pattern>
    </servlet-mapping>

    <servlet>
    <servlet-name>Logout</servlet-name>
    <servlet-class>LogOutServlet</servlet-class> <!-- in this servlet, call session.invalidate() -->
    </servlet>
    <servlet-mapping>
    <servlet-name>Logout</servlet-name>
    <url-pattern>/Logout</url-pattern>
    </servlet-mapping>

<security-constraint>
  <display-name>Security Constraint</display-name>
  <web-resource-collection>
     <web-resource-name>Protected Area</web-resource-name>
     <url-pattern>/jsp/security/protected/*</url-pattern>
     <url-pattern>*.pdf</url-pattern>

     <http-method>DELETE</http-method>
     <http-method>GET</http-method>
     <http-method>POST</http-method>
     <http-method>PUT</http-method>
  </web-resource-collection>
  <auth-constraint>
     <role-name>tomcat</role-name>
  </auth-constraint>
</security-constraint>

<login-config>
  <auth-method>FORM</auth-method>
  <realm-name>Form-Based Authentication Area</realm-name>
  <form-login-config>
    <form-login-page>/jsp/security/protected/login.jsp</form-login-page>
    <form-error-page>/jsp/security/protected/error.jsp</form-error-page>
  </form-login-config>
</login-config>

<!-- Security roles referenced by this web application -->
<security-role>
  <role-name>tomcat</role-name>
</security-role>

在/files/jsp/security/protected/

login.jsp

login.jsp

<script type="text/javascript" src="https://ajax.googleapis.com/ajax/libs/jquery/1.7.2/jquery.min.js"></script>
<script type="text/javascript">
$(document).ready(function() {
    $("#secure").submit();
});
</script>
...
<form method="POST" action='<%= response.encodeURL("j_security_check") %>' name="secure" id="secure">
<input type="hidden" name="j_username" value='<%=session.getAttribute("j_username")%>' />
<input type="hidden" name="j_password" value='<%=session.getAttribute("j_password")%>' />
</form>
...

PopulateServlet.java

HttpSession session = request.getSession(true);
session.setAttribute("j_username","tomcat");
session.setAttribute("j_password","tomcat");

"myweb"网络应用更改:customerhomepage.jsp

$.get('/files/Populate?ts='+new Date().getMilliseconds());

这篇关于Tomcat 7-保护webapps文件夹下的文件夹的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！