Tomcat:绕过指定 IP 地址的基本身份验证 [英] Tomcat : Bypass basic Authentication for Specified IP Address

问题描述

我已经为基本认证配置了 tomcat.我不希望任何人访问我的 Web 应用程序，但该应用程序正在提供 Web 服务.所以我想从基本身份验证中绕过一个特定的 ip 地址.(那个 ip 应该不需要身份验证.)

I have configured tomcat for basic authentication. I do not want anyone to have access to my web application but the app is serving web services. So I want to bypass a specific ip address from basic authentication.( that ip should not require authentication.)

tomcat-users.xml :

tomcat-users.xml :

<tomcat-users>
<user username="user" password="password" roles="user"/>
</tomcat-users>

web.xml:

<security-constraint>
<web-resource-collection>
  <web-resource-name>Entire Application</web-resource-name>
  <url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
  <role-name>user</role-name>
</auth-constraint>
</security-constraint>


<login-config>
  <auth-method>BASIC</auth-method>
  <realm-name>You must enter your login credentials to continue</realm-name>
</login-config>

<security-role>
   <description>
      The role that is required to log in to the Application
   </description>
   <role-name>user</role-name>
</security-role>

谢谢，车坦.

推荐答案

如果您只想允许几个 IP 地址而禁止其他所有人，远程地址过滤阀正是您所需要的.

If you would like to allow just only a few IP addresses and disallow everybody else the Remote Address Filter Valve is what you need.

如果您希望来自未知 IP 地址的客户端看到基本登录对话框并可以登录，您需要一个自定义的 阀门.RemoteAddrValve(它是父类 RequestFilterValve 是一个很好的起点.看看 我以前的回答也是.

If you want that the clients from unknown IP addresses see the basic login dialog and could login you need a custom Valve. The source of the RemoteAddrValve (and it's parent class RequestFilterValve is a good starting point. Take a look my former answer too.

无论如何，下面是概念代码证明.如果客户端来自受信任的 IP，它会将一个填充的 Principal 放入 Request，这样登录模块就不会要求输入密码.否则它不会触及 Request 对象，用户可以照常登录.

Anyway, below is a proof of concept code. It puts a filled Principal to the Request if the client is coming from a trusted IP so the login module will not ask for the password. Otherwise it does not touch the Request object and the user can log in as usual.

import java.io.IOException;
import java.security.Principal;
import java.util.ArrayList;
import java.util.List;

import javax.servlet.ServletException;

import org.apache.catalina.connector.Request;
import org.apache.catalina.connector.Response;
import org.apache.catalina.realm.GenericPrincipal;
import org.apache.catalina.valves.ValveBase;

public class AutoLoginValve extends ValveBase {

    private String trustedIpAddress;

    public AutoLoginValve() {
    }

    @Override
    public void invoke(final Request request, final Response response) 
             throws IOException, ServletException {
        final String remoteAddr = request.getRemoteAddr();
        final boolean isTrustedIp = remoteAddr.equals(trustedIpAddress);
        System.out.println("remoteAddr: " + remoteAddr + ", trusted ip: " 
                + trustedIpAddress + ", isTrustedIp: " + isTrustedIp);
        if (isTrustedIp) {
            final String username = "myTrusedUser";
            final String credentials = "credentials";
            final List<String> roles = new ArrayList<String>();
            roles.add("user");
            roles.add("admin");

            final Principal principal = new GenericPrincipal(username, 
                credentials, roles);
            request.setUserPrincipal(principal);
        }

        getNext().invoke(request, response);
    }

    public void setTrustedIpAddress(final String trustedIpAddress) {
        System.out.println("setTrusedIpAddress " + trustedIpAddress);
        this.trustedIpAddress = trustedIpAddress;
    }

}

以及 server.xml 的配置示例:

<Valve className="autologinvalve.AutoLoginValve" 
    trustedIpAddress="127.0.0.1" />

这篇关于Tomcat:绕过指定 IP 地址的基本身份验证的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！