Java – Tomcat 7 nested combinedrealm, lockoutrealm and datasourcerealm

Java

I tried in Tomcat 7.0 32 nested realms as follows (written in pseudo XML here):

<CombinedRealm>
  <LockoutRealm>
     <DataSourceRealm/>
  </LockoutRealm>
  <UserDatabaseRealm/>
</CombinedRealm>

This doesn't seem to work – can realms in TOMMS be nested at more than two levels? I received a warning in my blog:

No rules found matching 'Server/Service/Engine/Realm/Realm/Realm'.

The idea behind this is that web services have some key users (for example, as DOS) and some ordinary users who cannot be locked. These users may have weak passwords, and lockoutrealm should be active I believe others have been in this situation

If there are other ways to achieve this (such as lockoutrealm's white list), please let me know

Single sign on is also required

I think extending the existing lockoutrealm code and the list of accounts that will never be locked will be an option, but I'm not so keen on writing my own realm. I'd rather not add custom code to Tomcat at this level, because it will be complex to set up for others and update it for each tomcat, which may destroy and so on

Thanks for your help!

This is my test configuration server Relevant parts of XML:

<Engine name="Catalina" defaultHost="localhost">

  <Realm className="org.apache.catalina.realm.CombinedRealm">

    <!-- Lockout realm for the DB users -->
    <Realm className="org.apache.catalina.realm.LockOutRealm">
      <!-- PRIMARY: DataSourceRealm with user DB -->
      <Realm className="org.apache.catalina.realm.DataSourceRealm"
         dataSourceName="jdbc/authority"
         userTable="user" userNameCol="username" 
         userCredCol="password" digest="SHA"
         userRoleTable="user_role" roleNameCol="rolename" />
    </Realm>

    <!-- FALLBACK:
         This Realm uses the UserDatabase configured in the global JNDI
         resources under the key "UserDatabase".  Any edits
         that are performed against this UserDatabase are immediately
         available for use by the Realm.  -->
    <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
           resourceName="UserDatabase"/>

  </Realm>

  <Host name="localhost"  appBase="webapps"
        unpackWARs="true" autoDeploy="true">

    <!-- SingleSignOn valve,share authentication between web applications
         Documentation at: /docs/config/valve.html -->
    <Valve className="org.apache.catalina.authenticator.SingleSignOn" />

    <!-- Access log processes all example.
         Documentation at: /docs/config/valve.html
         Note: The pattern used is equivalent to using pattern="common" -->
    <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
           prefix="localhost_access_log." suffix=".txt"
           pattern="%h %l %u %t &quot;%r&quot; %s %b" />

  </Host>
</Engine>

Solution

Apache commons digester is used to parse configuration files, so I suspect this particular use case is not expected

Tomcat. Org apache. catalina. startup. RealmRuleSet. It seems that addruleinstances can only perform level 2 depth operations in the real configuration It looks simple. You can add another layer there

I have to see how to configure the digester to see if I can support any level, or if I have to manually configure a subset

Feel free to go to Tomcat users' list and ask for such changes

The content of this article comes from the network collection of netizens. It is used as a learning reference. The copyright belongs to the original author.
THE END
分享
二维码
< <上一篇
下一篇>>