1. 创建验证表单usercheck.jsp及错误处理页面error.jsp,表单的用户名文本框必须命名为j_username,密码文本框必须命名为j_password,表单的action必须为j_security_check.
2. 在web.xml中的<web-app></web-app>添加如下代码:
<security-role>
<description>Baron's role to log in administration application</description>
<role-name>admin</role-name>
</security-role>
<security-constraint>
<display-name>Baron security-constraint!</display-name>
<web-resource-collection>
<web-resource-name>Baron Protected Area</web-resource-name>
<url-pattern>*.jsp</url-pattern>
<url-pattern>*.htm</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>admin</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<realm-name>BaronRealm</realm-name>
<form-login-config>
<form-login-page>/usercheck.jsp</form-login-page>
<form-error-page>/error.jsp</form-error-page>
</form-login-config>
</login-config>
如果对所有的web资源都进行保护,则作如下修改:
<url-pattern>/*<url-pattern>
如果通过控制资源访问方法进行保护,则在<web-resource-collection>
</web-resource-colleciont>作如下修改:
<http-method>DELETE</http-method>
<http-method>GET</http-method>
<http-method>POST</http-method>
<http-method>PUT</http-method>
以上为基于表单的验证,如果改成基本验证(不安全),则作如下修改:
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>BaronRealm</realm-name>
</login-config>
如果改成摘要验证,则作如下修改:
<login-config>
<auth-method>DIGEST</auth-method>
<realm-name>BaronRealm</realm-name>
</login-config>
3. 1)通过内存域验证,即根据tomcat-user.xml文件中的定义来验证登陆信息
在tomcat-users.xml中进行如下修改,添加角色及用户
<tomcat-users>
<role rolename="tomcat"/>
<role rolename="role1"/>
<role rolename="admin"/>
<user username="tomcat" password="tomcat" roles="tomcat"/>
<user username="role1" password="tomcat" roles="role1"/>
<user username="both" password="tomcat" roles="tomcat,role1"/>
<user username="baron" password="baron" roles="admin"/>
</tomcat-users>
在server.xml中的<Context></Context>中添加:
<Realm className="org.apache.catalina.realm.MemoryRealm"/>
2)通过DataSource域验证
- 建数据库,比如guard,然后建用户表users,字段user_name,user_password,建角色表
user_roles,字段user_name,role_name
- 将SQLServer的JDBC驱动程序考到<CATALINA_HOME>/common/lib中
- 在server.xml中的<GlobalNamingResource>元素下加入<Resource>和
<ResourceParams>元素:
<Resource auth="Container" name="jdbc/BaronDB" type="javax.sql.DataSource"/>
<ResourceParams name="jdbc/BaronDB">
<parameter>
<name>factory</name>
<value>org.apache.commons.dbcp.BasicDataSourceFactory</value>
</parameter>
<parameter>
<name>url</name>
<value>jdbc:microsoft:sqlserver://localhost:1433;DatabaseName=guard</value>
</parameter>
<parameter>
<name>password</name>
<value>229</value>
</parameter>
<parameter>
<name>maxWait</name>
<value>10000</value>
</parameter>
<parameter>
<name>maxActive</name>
<value>100</value>
</parameter>
<parameter>
<name>driverClassName</name>
<value>com.microsoft.jdbc.sqlserver.SQLServerDriver</value>
</parameter>
<parameter>
<name>username</name>
<value>sa</value>
</parameter>
<parameter>
<name>maxIdle</name>
<value>30</value>
</parameter>
</ResourceParams>
- 在server.xml中web应用对应的<Context>元素中加入<Realm>元素:
<Realm className="org.apache.catalina.realm.DataSourceRealm"
debug="99"
dataSourceName="jdbc/BaronDB"
userTable="b_users" userNameCol="user_name" userCredCol="user_password"
userRoleTable="b_user_roles" roleNameCol="role_name"/>
*.在web.xml中无须加入<resource-ref>声明对DataSource的引用
*.在页面中调用request.getRemoteUser()可得到当前访问的用户名