The authentication method rollup _tomcat for Tomcat container management security

When accessing protected resources in the server, the container-managed authentication method can control how users are authenticated. Tomcat supports four kinds of container-managed security protection, which are:

1, basic (fundamental verification): Through HTTP authentication, need to provide Base64 encoded text user password

2, DIGEST (Digest Verification): Through HTTP authentication, you need to provide a digest encoded string user password

3, form (form verification): On the Web page of the form required to provide a password

4, Client-cert (client certificate verification): The client certificate to confirm the identity of the user

Basic validation

When the Auth-method element in the Web.xml file is set to Basic, it indicates that the application is using base authentication, and every time the browser requests a protected Web application resource, Tomcat uses HTTP Basic authentication to ask the browser for a username and password (in the form of a page window). With this authentication method, all passwords are transmitted over the network with Base64 encoded text.

First look at the project structure (I use MAVEN managed dependencies):

Among them, protect/protect.jsp is protected and requires authorized access.

Description: For files such as Tomcat-users.xml,server.xml mentioned in this article, if Tomcat is started in eclipse, these files are under Tomcat under Servers engineering in Eclipse, as shown in figure:

The web.xml referred to in this article refer to the project's own web.xml, rather than the web.xml of the servers project under Tomcat.
Xml

<security-constraint>
 <web-resource-collection>
    <web-resource-name>tomcat protect Page</web-resource-name>
  <!-- All resources under the/protect directory are protected by
  <url-pattern>/protect/*</url-pattern>
 </ Web-resource-collection>
 <auth-constraint>
  <!-- The member here is to be consistent with the role configured in Tomcat-user.xml
  <role-name>member</role-name>
 </ Auth-constraint>
</security-constraint>
<login-config>
 <!--authentication method, Optional value: "BASIC" , "DIGEST", "FORM", "Client-cert";
 <auth-method>basic</auth-method>
 <!-- Use the realm name, note that there should be no space;
 <realm-name>myconstraints</realm-name>
</login-config
 
Tomcat-user.xml (Note that if you start Tomcat in Eclipse, this tomcat-user.xml under Servers project in Eclipse)

<role rolename= "Member"/>
<!--member role has a user named Alvis, the password is PWD-->
<user username= "Alvis" password= "pwd" roles= "member"/>

After restarting Tomcat, access resources under the Protect directory, as is the case:

Enter account Alvis, password pwd, access is successful (of course, the resources under the Protect directory can be directly accessed):

Summary validation

When the Auth-method element in the Web.xml file is set to digest, it indicates that the application uses digest validation. Or the example above, look at the configuration:

Web.xml and basic validation, just Auth-method modified to digest, here do not repeat.

Userdatabaserealm in Server.xml (if Tomcat is using other realm, same) Add Digest attribute:

Next, you want to generate a MD5 password that Tomcat can recognize. There are two ways, as described in the official website:

Tomcat, container management, security verification

Mode one: Generate with code:

Import Org.apache.catalina.realm.RealmBase;
public class T {
public static void Main (string[] args) {
Parameter 1: string to encrypt; parameter 2: cryptographic algorithm; parameter 3: Encoding of strings
String base = Realmbase.digest ("Alvis:MyConstraints:pwd", "MD5", null);
System.out.println (base);
}
}

Because the Realmbase class is in the Catalina.jar package, if this class is not in the project, you can right-click on the project-->java build path--> libraries-->add library--> Select Server Runtime--> Select Apache Tomcat V8.0 (actually 7.0 also), as shown in figure:

Form two: Use the script to generate:

There is a digest.sh (Linux system) or Digest.bat (Windows system) script in the Tomcat/bin directory, run this script, pass in the digest algorithm and parameters, here I run on the Windows system, as shown:

Here the-a specifies the digest algorithm for MD5, paying special attention to the parameter here: {username}:{realm name}:{password plaintext}. The username is the <user> name (Alvis) configured in Tomcat-users.xml, and the realm name is the <realm-name> configured in Web.xml (here is myconstraints), The password is plaintext, which is the password that the user is using to log on (I set this to PWD).

Only such parameters encrypted after the password, in the Tomcat-users.xml configuration is valid, otherwise it is not login. Since I am referring to the "Tomcat Authority Guide (second Edition)" of the steps to do, before trying for a long time did not know why log on, the results found in the official website, is so described:

Tomcat, container management, security verification

The effect is that if you use Digest authentication, the plaintext used to generate the digest must be replaced with this format. Practice the truth, so still can not complete reading Ah, hands-on practice is real.
The resulting password is then configured in Tomcat-users.xml (the screenshot below allows you to compare the passwords generated by password with the top Digest.bat script):

After restarting Tomcat, the effect is naturally the same as using basic validation.

Form validation

When the Auth-method element in the Web.xml file is set to form, it indicates that the application is using form validation. When a user requests a protected resource for a Web application, the form validation jumps to the configured login page. When the login fails, also need a validation failed page, or the above example, see Configuration:

Xml

<security-constraint>
<web-resource-collection>
<web-resource-name>tomcat member Part</web-resource-name>
<url-pattern>/protect/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>member</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<realm-name>MyConstraints</realm-name>
<form-login-config>
<form-login-page>/form/login.html</form-login-page>
<form-error-page>/form/error.html</form-error-page>
</form-login-config>
</login-config>

The form/login.html here is the page for the login, and form/error.html is the page to which the validation failed to jump (the two pages are already in the above engineering structure diagram).

Login.html

<body>
<form method= "POST" action= "J_security_check" name= "LoginForm" >
<input type= "text" name= "J_username"/><br>
<input type= "Password" name= "J_password"/><br>
<input type= "Submit" value= "Login"/>
</form>
</body>

Note: Here form action= "J_security_check", Account Name= "J_username" and password Name= "J_password" are immutable, otherwise configured validation rules do not work.

Server.xml, to remove the "Digest=md5" attribute added to the realm:

To save a password using clear text in Tomcat-users.xml:

Effect (login Page only appears when accessing resources in the Protect directory):

Enter the wrong account and password and jump to form/error.html page:

Enter the correct account number and password to jump to the protected page:

Client certificate Validation

Cond

Demo Download:

Link: Http://pan.baidu.com/s/1gfnqVdT Password: PUBW

Reference page:

Https://tomcat.apache.org/tomcat-7.0-doc/realm-howto.html