java - Tomcat 用户具有主要角色，但 request.isUserInRole() 另有说明

Question

在 tomcat-users.xml 中定义了用户和角色:

<user username="admin" password="admin" roles="user,admin,APP_ADMIN"/>
  <role rolename="user"/>
  <role rolename="APP_ADMIN"/>
  <role rolename="admin"/>

应用程序安全性定义为:

<security-constraint>
        <web-resource-collection>
                <web-resource-name>Dynamic pages</web-resource-name>
                <url-pattern>*.jsp</url-pattern>
        </web-resource-collection>
        <auth-constraint>
                <description>These are the roles who have access.</description>
                <role-name>*</role-name>
        </auth-constraint>
        <user-data-constraint>
                <description></description>
                <transport-guarantee>NONE</transport-guarantee>
        </user-data-constraint>

但是当我以管理员身份登录到应用程序时，它总是给我 HTTP 403 未授权。
我用 JSP 脚本检查了角色:

out.write(request.getUserPrincipal().toString()); 

它打印:

User username="admin", roles="user,admin,APP_ADMIN"

但是当我检查 isUserInRole 时:

out.write(request.isUserInRole("APP_ADMIN") ? "Yep" : "nope");

获取:

nope

Tomcat版本为7.0.55

Answer 1

1:您可能必须在 web.xml 中定义角色。请参阅此 SO 问题 Why do I list security roles in web.xml when they're in jdbcRealm database? .

2:角色名称中的通配符“*”可能会引起麻烦。也许尝试使用角色名称“用户”，看看它是否有效。

对于作为角色名称的通配符，您必须启用 allRolesMode:

This attribute controls how the special role name * is handled when processing authorization constraints in web.xml. By default, the specification compliant value of strict is used which means that the user must be assigned one of the roles defined in web.xml. The alternative values are authOnly which means that the user must be authenticated but no check is made for assigned roles and strictAuthOnly which means that the user must be authenticated and no check will be made for assigned roles unless roles are defined in web.xml in which case the user must be assigned at least one of those roles.

有关更多信息，请参阅 Tomcat 文档:https://tomcat.apache.org/tomcat-7.0-doc/config/realm.html