仅对特定用户限制 JSP/Servlet 访问 [英] Restrict JSP/Servlet access to specific users only

问题描述

我正在开发一个网络应用.我希望能够让一些朋友看到它，但不能让偶然发现网址的其他人看到.我打算放一个登陆页面，然后是一个简单的密码框.输入正确的密码后，我只需将其记录在会话中，并在其余时间保持浏览器打开的情况下照常公开网站.

I'm developing a web app. I'd like to be able to let some friends see it, but not others that stumble upon the url. I was going to put a landing page and then a simple password box. Once the correct password is entered, I'd just record it in the session and expose the site as usual for the rest of the time they keep the browser open.

有没有标准的方法来做到这一点?我会在我的 webapp 中添加额外的代码来支持这一点，我不确定是否已经有内置的方法来做到这一点(我正在使用 java servlet).

Is there a standard way to do this? I'd be adding extra code to my webapp to support this, I'm not sure if there's a built-in way to do it already (I'm using java servlets).

谢谢

推荐答案

您可以使用 使用部署描述符的容器管理身份验证.这不需要额外的代码，除了一个简单的登录表单，它带有一个输入和密码字段，提交到 URL j_security_check.这是一个基本示例:

You can use container managed authentication using deployment descriptors. This requires no extra code in your side expect of a simple login form with an input and password field which submits to the URL j_security_check. Here's a basic example:

<form action="j_security_check" method="post">
    <input type="text" name="j_username">
    <input type="password" name="j_password">
    <input type="submit">
</form>

假设您在名为 /private 的文件夹中有私人页面，并且上面的登录页面位于 /private/login.jsp 中，然后添加以下条目到 webapp 的 web.xml:

Assuming that you've private pages in a folder named /private and the above login page is located in /private/login.jsp, then add the following entries to the webapp's web.xml:

<security-constraint>
    <web-resource-collection>
        <web-resource-name>Private</web-resource-name>
        <url-pattern>/private/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
        <role-name>friends</role-name>
    </auth-constraint>
</security-constraint>

<login-config>
    <auth-method>FORM</auth-method>
    <realm-name>Private</realm-name>
    <form-login-config>
        <form-login-page>/private/login.jsp</form-login-page>
        <form-error-page>/private/error.jsp</form-error-page>
    </form-login-config>
</login-config>

然后，在您使用的servletcontainer 中，您需要为Private 配置一个所谓的Realm.由于不清楚您使用的是哪个 servletcontainer，这里有一个 Tomcat 8.0 目标文档:领域配置方法.您可以将其配置为针对 XML 文件或数据库甚至自定义位置验证用户名/密码组合.

Then, in the servletcontainer which you're using you need to configure a so-called Realm for Private. Since it's unclear which servletcontainer you're using, here's a Tomcat 8.0 targeted document: Realm Configuration HOW-TO. You can configure it to verify the username/password combo against a XML file or a database or even a custom location.

另一种完全不同的替代方法是在 Filter 的帮助下自行开发登录机制，该机制检查会话范围内是否存在登录用户.请参阅这个 和 this 回答如何实现这一点.

A completely different alternative is to homegrow a login mechanism with help of a Filter which checks the presence of the logged-in user in the session scope. See this and this answer how to achieve this.

这篇关于仅对特定用户限制 JSP/Servlet 访问的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！