Fel*_*ixD 7 java security tomcat realm
我正在尝试在Tomcat 7.0.32中嵌入Realms,如下所示(以伪XML形式编写):
<CombinedRealm>
<LockoutRealm>
<DataSourceRealm/>
</LockoutRealm>
<UserDatabaseRealm/>
</CombinedRealm>
这似乎不起作用 - 是否可以将Tomms中的Realms嵌套两个以上级别?我在日志中收到警告:
No rules found matching 'Server/Service/Engine/Realm/Realm/Realm'.
其背后的想法是,Web服务有一些不能被锁定的关键用户(例如,作为DOS)和一些普通用户,这些用户可能拥有较弱的密码,其中lockoutRealm应该是活动的.我相信其他人一直处于这种状况.
如果还有其他方法可以实现这一点(例如LockoutRealm的白名单),请告诉我.
单点登录也是必需的.
我想扩展现有的LockoutRealm代码与一个永远不会锁定的帐户列表将是一个选项,但我不是那么热衷于编写我自己的Realm,我宁愿不在该级别上添加自定义代码到Tomcat,因为这将复杂的设置为其他人和每个Tomcat更新它可能会破坏等.
谢谢你的帮助!
这是我的测试配置的server.xml的相关部分:
<Engine name="Catalina" defaultHost="localhost">
<Realm className="org.apache.catalina.realm.CombinedRealm">
<!-- Lockout realm for the DB users -->
<Realm className="org.apache.catalina.realm.LockOutRealm">
<!-- PRIMARY: DataSourceRealm with user DB -->
<Realm className="org.apache.catalina.realm.DataSourceRealm"
dataSourceName="jdbc/authority"
userTable="user" userNameCol="username"
userCredCol="password" digest="SHA"
userRoleTable="user_role" roleNameCol="rolename" />
</Realm>
<!-- FALLBACK:
This Realm uses the UserDatabase configured in the global JNDI
resources under the key "UserDatabase". Any edits
that are performed against this UserDatabase are immediately
available for use by the Realm. -->
<Realm className="org.apache.catalina.realm.UserDatabaseRealm"
resourceName="UserDatabase"/>
</Realm>
<Host name="localhost" appBase="webapps"
unpackWARs="true" autoDeploy="true">
<!-- SingleSignOn valve, share authentication between web applications
Documentation at: /docs/config/valve.html -->
<Valve className="org.apache.catalina.authenticator.SingleSignOn" />
<!-- Access log processes all example.
Documentation at: /docs/config/valve.html
Note: The pattern used is equivalent to using pattern="common" -->
<Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
prefix="localhost_access_log." suffix=".txt"
pattern="%h %l %u %t "%r" %s %b" />
</Host>
</Engine>
现在新的答案是:
更新到 Tomcat 7.0.33 或更高版本。然后就可以完美运行了。
Christopher Schultz 非常友好地将我的问题转发到 Tomcat 用户列表。伟大的 Tomcat 开发人员立即解决了该问题并将其放入下一个版本中。多谢!
因此,您现在可以使用问题中的结构或具有不同顺序/“优先级”的结构:
...
<Engine name="Catalina" defaultHost="localhost">
<Realm className="org.apache.catalina.realm.CombinedRealm">
<!-- PRIMARY: tomcat-users.xml with critical system users
that should always work, DB independent and without lockout
NOTE: If the wrong password is given, the secondary path with
lockout is still attempted, so that a lockout on that path
will still occur and be logged. Still the primary path is not
locked for access by that happening. -->
<Realm className="org.apache.catalina.realm.UserDatabaseRealm"
resourceName="UserDatabase"/>
<!-- SECONDARY: DataSourceRealm with DB with lockout functionality -->
<!-- (three level nesting of realms requires Tomcat >= 7.0.33) -->
<Realm className="org.apache.catalina.realm.LockOutRealm"
failureCount="5" lockOutTime="60" > <!-- note that when an account is locked correct password
login is no longer possible (would otherwise defeat purpose of lockout),
but also lockoutTime is still reset in each correct attempt -->
<Realm className="org.apache.catalina.realm.DataSourceRealm"
dataSourceName="jdbc/authority"
userTable="user" userNameCol="username"
userCredCol="password" digest="SHA"
userRoleTable="user_role" roleNameCol="rolename" />
</Realm>
</Realm>
<Host >
...
</Host>
</Engine>
...
当然,您也可以使用其他领域和其他组合。
请注意,日志中有一件事可能会产生误导:在此结构中,如果为主领域中存储的关键用户之一提供了错误的密码,则主领域会拒绝访问,然后会尝试通过锁定领域访问辅助领域,并且还拒绝访问,最终锁定用户名。锁定领域将此记录为警告“尝试对锁定的用户进行身份验证...”。即使密码正确,访问仍然可以通过主领域进行,因为它不会通过锁定领域。即一切都按预期工作,只是日志消息可能会导致混乱(当然这是无法避免的)。