受保护资源
test.jsp
<%@page import="org.apache.tomcat.util.codec.binary.Base64"%> <%@page language="java" import="java.util.*" %> <% Enumeration headerNames = request.getHeaderNames(); while (headerNames.hasMoreElements()) { String headerName = (String) headerNames.nextElement(); String headerValue = request.getHeader(headerName); out.println(headerName + ": " + headerValue + "<br/>"); } out.println("<hr/>"); String authHeader = request.getHeader("authorization"); String encodedValue = authHeader.split(" ")[1]; out.println(new String(Base64.decodeBase64(encodedValue))); %>
web.xml basic相关配置
<security-constraint> <display-name>Security Constraint</display-name> <web-resource-collection> <web-resource-name>Protected Area</web-resource-name> <!-- 哪些地址需要认证,/*表示此项目的任意地址都需要认证 --> <url-pattern>/*</url-pattern> <http-method>DELETE</http-method> <http-method>GET</http-method> <http-method>POST</http-method> <http-method>PUT</http-method> </web-resource-collection> <auth-constraint> <role-name>tomcat</role-name> <role-name>manager</role-name> </auth-constraint> </security-constraint> <login-config> <!-- 认证方式,BASIC认证 --> <auth-method>BASIC</auth-method> <realm-name>not login yet</realm-name> </login-config> <!-- Basic认证配置结束 -->
应用服务器 tomcat
<tomcat-users> <role rolename="tomcat"/> <role rolename="manager"/> <user username="tomcat" password="123456" roles="tomcat"/> <user username="both" password="123456" roles="tomcat,manager"/> <user username="manager" password="123456" roles="manager"/> </tomcat-users>
测试工具 postman
测试场景1:
直接访问:http://localhost:8080/testweb01/test.jsp
结果: 返回401
测试场景2,请求url中添加账号密码信息
http://tomcat:123456@localhost:8080/testweb01/test.jsp
结果:200,成功访问到受保护资源。
postman访问http://tomcat:123456@localhost:8080/testweb01/test.jsp时,通过Fiddler工具抓包信息如下:
使用curl测试
使用javascript测试
修改受保护资源匹配url:
<web-resource-collection> <web-resource-name>Protected Area</web-resource-name> <!-- 哪些地址需要认证,/*表示此项目的任意地址都需要认证 --> <url-pattern>/test.jsp</url-pattern> <http-method>DELETE</http-method> <http-method>GET</http-method> <http-method>POST</http-method> <http-method>PUT</http-method> </web-resource-collection>
新建html文件
<!DOCTYPE html> <html> <script type="text/javascript"> function getXmlHttpObject() { var xmlHttp = null; try { // Firefox, Opera 8.0+, Safari xmlHttp = new XMLHttpRequest(); } catch (e) { // Internet Explorer try { xmlHttp = new ActiveXObject("Msxml2.XMLHTTP"); } catch (e) { xmlHttp = new ActiveXObject("Microsoft.XMLHTTP"); } } return xmlHttp; } var req; function send() { //首先获取一个XmlHttpObject,该对象的获取在不同的浏览器下,获取方式不完全一样。 req = getXmlHttpObject(); //向服务器端提交的url请求 var url = "http://tomcat:123456@localhost:8080/testweb01/test.jsp"; //每次状态改变都会调用回调函数callback() req.onreadystatechange = function () { //readyState == 4表示请求已完成,可以访问服务器响应并使用它。 if (req.readyState == 4) { //status:判断服务器响应对应的状态码,其中 200 表明响应正常,而 404表明资源丢失,500 表明内部错误等。 if (req.status == 200) { //解析服务器端返回的数据 var msg = req.responseText; alert(msg); } } }; req.open("GET", url, true); req.send(null); } </script> <head> <meta charset="UTF-8"> <title>Insert title here</title> </head> <body> <button onclick="send()">发送</button> </body> </html>
点击【send】按钮,浏览器抓包:
Fiddler工具抓包
关于http basic认证:
http://huangqiqing123.iteye.com/blog/2410417