How do I use Form Authentication with Tomcat?

   web.xml

   

<?xml version="1.0" encoding="UTF-8"?>
<web-app id="tomcat-demo" version="2.4" xmlns="http://java.sun.com/xml/ns/j2ee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
	xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd">
	<servlet>
		<servlet-name>TestServlet</servlet-name>
		<servlet-class>test.TestServlet</servlet-class>
	</servlet>
	<servlet-mapping>
		<servlet-name>TestServlet</servlet-name>
		<url-pattern>/test</url-pattern>
	</servlet-mapping>

	<security-constraint>
		<web-resource-collection>
			<web-resource-name>TestServlet requires authentication</web-resource-name>
			<url-pattern>/test</url-pattern>
			<http-method>GET</http-method>
			<http-method>POST</http-method>
		</web-resource-collection>

		<auth-constraint>
			<role-name>tomcat</role-name>
		</auth-constraint>

		<user-data-constraint>
			<!-- transport-guarantee can be CONFIDENTIAL, INTEGRAL, or NONE -->
			<transport-guarantee>NONE</transport-guarantee>
		</user-data-constraint>
	</security-constraint>

	<login-config>
                                <!-- BASIC,DIGEST,FORM,CLIENT-CERT-->
		<auth-method>FORM</auth-method>
		<form-login-config>
			<form-login-page>/login.html</form-login-page>
			<form-error-page>/login-failed.html</form-error-page>
		</form-login-config>
	</login-config>
</web-app>

 

  

    注：transport-guarantee的值为CONFIDENTIAL,INTEGRAL时，需要配置ssl.

 

    login.html

 

<form method="POST" action="j_security_check">
<table>
	<tr>
		<td colspan="2">Login to the Tomcat-Demo application:</td>
	</tr>
	<tr>
		<td>Name:</td>
		<td><input type="text" name="j_username" /></td>
	</tr>
	<tr>
		<td>Password:</td>
		<td><input type="password" name="j_password"/ ></td>
	</tr>
	<tr>
		<td colspan="2"><input type="submit" value="Go" /></td>
	</tr>
</table>
</form>

 

  

    login-failed.html

   

<p>
Sorry, login failed!
</p>

 

   TestServlet.java

  

package test;

import java.io.IOException;
import java.io.PrintWriter;
import java.util.Enumeration;

import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;

public class TestServlet extends HttpServlet {

	private static final long serialVersionUID = 1L;

	protected void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException {
		response.setContentType("text/html");
		PrintWriter out = response.getWriter();

		out.println("Welcome '" + request.getRemoteUser() + "'");
		out.println("<br/><hr/>");

		Enumeration headerNames = request.getHeaderNames();
		while (headerNames.hasMoreElements()) {
			String headerName = (String) headerNames.nextElement();
			out.print("Header Name: <em>" + headerName);
			String headerValue = request.getHeader(headerName);
			out.print("</em>, Header Value: <em>" + headerValue);
			out.println("</em><br/>");
		}

		out.println("<br/><hr/>");
		out.println("<a href=\"logout.jsp\">Click here to log out</a>");
	}
}

 

  另：这种方式是验证是基于tomcat-users.xml，当然也可以继承org.apache.catalina.realm.DataSourceRealm.DataSourceRealm 

 

   说明：j_security_check正确的说应该是JAAS验证，原理是当用户在java程序中（正确的说通过JVM）通过网络或者IO的方式访问资源时，JVM会使用java.security.manager或者其他 java验证的类做代理去访问。在访问之前jvm会检验访问者是否有权访问。那么如何确认用户是否有权访问呢？jvm会通过 java.security.policy类查找授权用户的权限。

 

 

   参考：http://apps.hi.baidu.com/share/detail/963439

            http://download.oracle.com/javase/1.5.0/docs/guide/security/jaas/JAASRefGuide.html