Tomcat starts from scratch (16) ----- tomcat security

 

Servlet

    SecurityCollection securityCollection = new SecurityCollection();    securityCollection.addPattern("/");    securityCollection.addMethod("GET");    SecurityConstraint constraint = new SecurityConstraint();    constraint.addCollection(securityCollection);    constraint.addAuthRole("manager");    LoginConfig loginConfig = new LoginConfig();    loginConfig.setRealmName("Realm");        Realm realm = new SimpleRealm();    context.setRealm(realm);    context.addConstraint(constraint);    context.setLoginConfig(loginConfig);

Let's take a look at the first line. After creating a securityCollection, addPattern () is used to set the url that requires security restrictions. Later addMethod does not explain much about--GET, POST. The subsequent section is to hand over the secuityCollection to constraint, and then set that only the Manager role can be accessed. Finally, it is associated with the container.

  private void createUserDatabase() {    User user1 = new User("Victory", "test");    user1.addRole("manager");    user1.addRole("programmer");    User user2 = new User("Mrc", "Chri");    user2.addRole("programmer");    users.add(user1);    users.add(user2);  }  class User {    public User(String username, String password) {      this.username = username;      this.password = password;    }    public String username;    public ArrayList roles = new ArrayList();    public String password;    public void addRole(String role) {      roles.add(role);    }    public ArrayList getRoles() {      return roles;    }  }

We will find that after createUserDatabase () is called in the default constructor of realm, this method creates a user and uses the internal class "user. I will not post all the code of this realm-this is done by checking the source code.

At the same time, we know that this authenticator is also a valve, So we naturally think of pipeline, and then naturally think that it should be written in ContextConfig. The added code is as follows:

  private synchronized void authenticatorConfig() {    // Does this Context require an Authenticator?    SecurityConstraint constraints[] = context.findConstraints();    if ((constraints == null) || (constraints.length == 0))      return;    LoginConfig loginConfig = context.getLoginConfig();    if (loginConfig == null) {      loginConfig = new LoginConfig("NONE", null, null, null);      context.setLoginConfig(loginConfig);    }    // Has an authenticator been configured already?    Pipeline pipeline = ((StandardContext) context).getPipeline();    if (pipeline != null) {      Valve basic = pipeline.getBasic();      if ((basic != null) && (basic instanceof Authenticator))        return;      Valve valves[] = pipeline.getValves();      for (int i = 0; i < valves.length; i++) {        if (valves[i] instanceof Authenticator)        return;      }    }    else { // no Pipeline, cannot install authenticator valve      return;    }    // Has a Realm been configured for us to authenticate against?    if (context.getRealm() == null) {      return;    }    // Identify the class name of the Valve we should configure    String authenticatorName = "org.apache.catalina.authenticator.BasicAuthenticator";    // Instantiate and install an Authenticator of the requested class    Valve authenticator = null;    try {      Class authenticatorClass = Class.forName(authenticatorName);      authenticator = (Valve) authenticatorClass.newInstance();      ((StandardContext) context).addValve(authenticator);      System.out.println("Added authenticator valve to Context");    }    catch (Throwable t) {    }  }

Of course, do not forget to call it in the lifecycleEvent method.

Another way to get the login account data is to read it through xml. The Code is as follows. Just change bootstrap and add a SimpleUserDatabaseRealm class. First look at the SimpleUserDatabaseRealm code

Public class SimpleUserDatabaseRealm extends RealmBase {protected UserDatabase = null; protected static final String name = "external"; protected String resourceName = "UserDatabase"; public Principal authenticate (String username, String credentials) {// check whether the User of this user name has User user = database. findUser (username); if (user = null) {return (null);} boolean validated = false; If (hasMessageDigest () {validated = (digest (credentials ). equalsIgnoreCase (user. getPassword ();} else {validated = (digest (credentials ). equals (user. getPassword ();} if (! Validated) {return null;} ArrayList combined = new ArrayList (); Iterator roles = user. getRoles (); while (roles. hasNext () {Role role = (Role) roles. next (); String rolename = role. getRolename (); if (! Combined. contains (rolename) {combined. add (rolename) ;}} Iterator groups = user. getGroups (); while (groups. hasNext () {Group group = (Group) groups. next (); roles = group. getRoles (); while (roles. hasNext () {Role role = (Role) roles. next (); String rolename = role. getRolename (); if (! Combined. contains (rolename) {combined. add (rolename) ;}}return (new GenericPrincipal (this, user. getUsername (), user. getPassword (), combined);} protected Principal getPrincipal (String username) {return (null);} protected String getPassword (String username) {return null;} protected String getName () {return this. name;} public void createDatabase (String path) {database = new MemoryUserDatabase (name); (MemoryUserDatabase) database ). setPathname (path); try {database. open () ;}catch (Exception e ){}}}

Bootstrap.

    SecurityConstraint constraint = new SecurityConstraint();    constraint.addCollection(securityCollection);    constraint.addAuthRole("manager");    LoginConfig loginConfig = new LoginConfig();    loginConfig.setRealmName("Simple User Database Realm");    // add realm    Realm realm = new SimpleUserDatabaseRealm();    ((SimpleUserDatabaseRealm) realm).createDatabase("conf/tomcat-users.xml");    context.setRealm(realm);    context.addConstraint(constraint);    context.setLoginConfig(loginConfig);

I believe this does not need to say much, look at the code found to access the conf/tomcat-users.xml this file to obtain the account, so as to verify.

The xml file content is as follows:

<?xml version='1.0' encoding='utf-8'?><tomcat-users>  <role rolename="tomcat"/>  <role rolename="programmer"/>  <role rolename="manager"/>  <role rolename="admin"/>  <user username="tomcat" password="tomcat" roles="tomcat"/>  <user username="victory" password="tomcat" roles="programmer"/>  <user username="both" password="tomcat" roles="tomcat,programmer"/>  <user username="admin" password="password" roles="admin,manager"/></tomcat-users>