受保护资源
test.jsp
<%@page import="org.apache.tomcat.util.codec.binary.Base64"%>
<%@page language="java" import="java.util.*" %>
<%
Enumeration headerNames = request.getHeaderNames();
while (headerNames.hasMoreElements()) {
String headerName = (String) headerNames.nextElement();
String headerValue = request.getHeader(headerName);
out.println(headerName + ": " + headerValue + "<br/>");
}
out.println("<hr/>");
String authHeader = request.getHeader("authorization");
String encodedValue = authHeader.split(" ")[1];
out.println(new String(Base64.decodeBase64(encodedValue)));
%>
web.xml basic相关配置
<security-constraint>
<display-name>Security Constraint</display-name>
<web-resource-collection>
<web-resource-name>Protected Area</web-resource-name>
<!-- 哪些地址需要认证,/*表示此项目的任意地址都需要认证 -->
<url-pattern>/*</url-pattern>
<http-method>DELETE</http-method>
<http-method>GET</http-method>
<http-method>POST</http-method>
<http-method>PUT</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>tomcat</role-name>
<role-name>manager</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<!-- 认证方式,BASIC认证 -->
<auth-method>BASIC</auth-method>
<realm-name>not login yet</realm-name>
</login-config>
<!-- Basic认证配置结束 -->
应用服务器 tomcat
<tomcat-users> <role rolename="tomcat"/> <role rolename="manager"/> <user username="tomcat" password="123456" roles="tomcat"/> <user username="both" password="123456" roles="tomcat,manager"/> <user username="manager" password="123456" roles="manager"/> </tomcat-users>
测试工具 postman
测试场景1:
直接访问:http://localhost:8080/testweb01/test.jsp
结果: 返回401
测试场景2,请求url中添加账号密码信息
http://tomcat:123456@localhost:8080/testweb01/test.jsp
结果:200,成功访问到受保护资源。
postman访问http://tomcat:123456@localhost:8080/testweb01/test.jsp时,通过Fiddler工具抓包信息如下:
使用curl测试
使用javascript测试
修改受保护资源匹配url:
<web-resource-collection>
<web-resource-name>Protected Area</web-resource-name>
<!-- 哪些地址需要认证,/*表示此项目的任意地址都需要认证 -->
<url-pattern>/test.jsp</url-pattern>
<http-method>DELETE</http-method>
<http-method>GET</http-method>
<http-method>POST</http-method>
<http-method>PUT</http-method>
</web-resource-collection>
新建html文件
<!DOCTYPE html>
<html>
<script type="text/javascript">
function getXmlHttpObject() {
var xmlHttp = null;
try {
// Firefox, Opera 8.0+, Safari
xmlHttp = new XMLHttpRequest();
} catch (e) {
// Internet Explorer
try {
xmlHttp = new ActiveXObject("Msxml2.XMLHTTP");
} catch (e) {
xmlHttp = new ActiveXObject("Microsoft.XMLHTTP");
}
}
return xmlHttp;
}
var req;
function send() {
//首先获取一个XmlHttpObject,该对象的获取在不同的浏览器下,获取方式不完全一样。
req = getXmlHttpObject();
//向服务器端提交的url请求
var url = "http://tomcat:123456@localhost:8080/testweb01/test.jsp";
//每次状态改变都会调用回调函数callback()
req.onreadystatechange = function () {
//readyState == 4表示请求已完成,可以访问服务器响应并使用它。
if (req.readyState == 4) {
//status:判断服务器响应对应的状态码,其中 200 表明响应正常,而 404表明资源丢失,500 表明内部错误等。
if (req.status == 200) {
//解析服务器端返回的数据
var msg = req.responseText;
alert(msg);
}
}
};
req.open("GET", url, true);
req.send(null);
}
</script>
<head>
<meta charset="UTF-8">
<title>Insert title here</title>
</head>
<body>
<button onclick="send()">发送</button>
</body>
</html>
点击【send】按钮,浏览器抓包:
Fiddler工具抓包
关于http basic认证:
http://huangqiqing123.iteye.com/blog/2410417