Return-Path: <craigmcc@locus.apache.org>
Mailing-List: contact tomcat-dev-help@jakarta.apache.org; run by ezmlm
Delivered-To: mailing list tomcat-dev@jakarta.apache.org
Received: (qmail 97757 invoked by uid 500); 6 Apr 2000 17:49:23 -0000
Delivered-To: apmail-jakarta-tomcat-cvs@apache.org
Received: (qmail 97754 invoked by uid 1059); 6 Apr 2000 17:49:23 -0000
Date: 6 Apr 2000 17:49:23 -0000
Message-ID: <20000406174923.97753.qmail@locus.apache.org>
From: craigmcc@locus.apache.org
To: jakarta-tomcat-cvs@apache.org
Subject: cvs commit: jakarta-tomcat/src/share/org/apache/tomcat/request
 SecurityCheck.java

craigmcc    00/04/06 10:49:23

  Modified:    src/doc  readme
               src/etc  tomcat-users.xml
               src/examples/WEB-INF web.xml
               src/examples/jsp/security/protected index.jsp
               src/share/org/apache/tomcat/request SecurityCheck.java
  Log:
  Added more example users to the tomcat-users file to demonstrate the
  syntax options.
  
  Modified the examples web application so that BASIC authentication is the
  default, but left notes in web.xml about how to easily switch to form
  based authentication.  No changes to the protected application itself
  are required when you switch -- one of the really nice things about
  container managed security :-).
  
  Enhanced the page displayed inside the protected area to confirm the
  user's remote username and principal username, as well as allowing the
  lookup of roles assigned to this user.  (You wouldn't do this in a
  real application, but it is quite useful for debugging your
  tomcat-users.xml file contents.)
  
  Removed a debugging output statement from SecurityCheck.java.
  
  Revision  Changes    Path
  1.4       +62 -4     jakarta-tomcat/src/doc/readme
  
  Index: readme
  ===================================================================
  RCS file: /home/cvs/jakarta-tomcat/src/doc/readme,v
  retrieving revision 1.3
  retrieving revision 1.4
  diff -u -r1.3 -r1.4
  --- readme	2000/03/26 02:36:11	1.3
  +++ readme	2000/04/06 17:49:21	1.4
  @@ -1,4 +1,4 @@
  -$Id: readme,v 1.3 2000/03/26 02:36:11 craigmcc Exp $
  +$Id: readme,v 1.4 2000/04/06 17:49:21 craigmcc Exp $
           
                              Release Notes for
                              =================
  @@ -14,6 +14,7 @@
       4.  New Features In This Release
       5.  Known Bugs and Issues
   
  +
   =============================================================================
   1.  INTRODUCTION
   
  @@ -27,6 +28,7 @@
   You should read the License Agreement (in the LICENSE file of the top level
   directory), which applies to all software included in this release.
   
  +
   =============================================================================
   2.  INSTALLING AND RUNNING TOMCAT
   
  @@ -51,14 +53,40 @@
   
   =============================================================================
   4.  NEW FEATURES IN THIS RELEASE
  +
  +Many new features have been added to Tomcat since the 3.0 release.  Among the
  +most important are:
  +
  +- Connectors for using Tomcat to run servlets with Microsoft's IIS
  +  and Netscape's NES web server, as well as Apache and stand-alone.
  +
  +- Automatic generation of configuration files for Apache integration.
  +
  +- Automatic deployment of applications delivered as Web ARchive (WAR)
  +  files.  To deploy an application, copy the WAR file to the
  +  $TOMCAT_HOME/webapps directory and restart Tomcat, after which the
  +  WAR file will be automatically expanded.  To remove an application,
  +  remove the expanded directory (and the WAR file) for that application.
   
  -FIXME
  +- Automatic servlet reloading when servlet classes are changed in
  +  WEB-INF/classes or WEB-INF/lib/*.jar.  This support can be configured
  +  on a per-web-application basis.
   
  +- Enhanced support for logging on a per-Tomcat-component basis.
   
  +- Minimal administration tool, allowing new web applications to be deployed
  +  into a running Tomcat environment, as well as removing existing applications.
  +
  +- Command line tool (jspc) to compile the JSP pages that comprise your
  +  application ahead of time.
  +
  +- Substantially improved installation and development documentation.
  +
  +
   =============================================================================
   5.  KNOWN BUGS AND ISSUES
   
  -6.1 Using An Absolute Path as Document Root Under Windows
  +5.1 Using An Absolute Path as Document Root Under Windows
   
   In the TOMCAT_HOME/conf/server.xml file, you can declare a relative or absolute
   directory pathname for the docRoot attribute.  If you wish to use an absolute
  @@ -72,6 +100,36 @@
   
   Under Unix, absolute pathnames must begin with a slash ('/') character.
   
  +5.2 Container Managed Security
  +
  +Tomcat 3.1 has an experimental implementation of container managed security,
  +as described in the Servlet API Specification, version 2.2, section 11.  Please
  +note the following information about this implementation:
  +
  +- BASIC authentication appears to work correctly, but has not been
  +  extensively tested.  Please report any bugs you encounter here
  +  at <http://jakarta.apache.org/bugs>.  The example application has
  +  a protected area defined at the following URL:
  +
  +	http://localhost:8080/examples/jsp/security/protected
  +
  +  which can be accessed by any user defined in the configuration file
  +  $TOMCAT_HOME/conf/tomcat-users.xml that has been granted the
  +  appropriate roles.
  +
  +  WARNING:  Basic authentication is not suitable for general security
  +  use across the Internet, or across other insecure networks, because
  +  usernames and passwords are sent encoded, but not encrypted, with
  +  every single request.
  +
  +- FORM based authentication is partially supported, although there are
  +  known bugs and specification compliance issues.  This implementation
  +  is *not* suitable for general application use.
  +
  +  If you wish to participate in debugging and enhancing this portion of
  +  Tomcat, please subscribe to the TOMCAT-DEV mailing list, and assist in
  +  locating and fixing all of the outstanding problems.
   
  -FIXME
  +- DIGEST authentication and HTTPS client authentication (i.e. SSL)
  +  are not supported in this release.
   
  
  
  
  1.2       +2 -0      jakarta-tomcat/src/etc/tomcat-users.xml
  
  Index: tomcat-users.xml
  ===================================================================
  RCS file: /home/cvs/jakarta-tomcat/src/etc/tomcat-users.xml,v
  retrieving revision 1.1
  retrieving revision 1.2
  diff -u -r1.1 -r1.2
  --- tomcat-users.xml	2000/02/17 21:19:00	1.1
  +++ tomcat-users.xml	2000/04/06 17:49:21	1.2
  @@ -1,3 +1,5 @@
   <tomcat-users>
     <user name="tomcat" password="tomcat" roles="tomcat" />
  +  <user name="role1"  password="tomcat" roles="role1"  />
  +  <user name="both"   password="tomcat" roles="tomcat,role1" />
   </tomcat-users>
  
  
  
  1.8       +19 -16    jakarta-tomcat/src/examples/WEB-INF/web.xml
  
  Index: web.xml
  ===================================================================
  RCS file: /home/cvs/jakarta-tomcat/src/examples/WEB-INF/web.xml,v
  retrieving revision 1.7
  retrieving revision 1.8
  diff -u -r1.7 -r1.8
  --- web.xml	2000/04/04 15:12:15	1.7
  +++ web.xml	2000/04/06 17:49:22	1.8
  @@ -63,37 +63,40 @@
   
       <security-constraint>
         <web-resource-collection>
  -         <web-resource-name>a</web-resource-name>
  +         <web-resource-name>Protected Area</web-resource-name>
  +	 <!-- Define the context-relative URL(s) to be protected -->
            <url-pattern>/jsp/security/protected/*</url-pattern>
  -         <url-pattern>/jsp/security/protected1/</url-pattern>
  +	 <!-- If you list http methods, only those methods are protected -->
  +	 <http-method>DELETE</http-method>
            <http-method>GET</http-method>
            <http-method>POST</http-method>
  +	 <http-method>PUT</http-method>
         </web-resource-collection>
  -
  -      <web-resource-collection>
  -         <web-resource-name>a</web-resource-name>
  -         <url-pattern>/foo2/*</url-pattern>
  -         <url-pattern>/bar2/*</url-pattern>
  -      </web-resource-collection>
  -
         <auth-constraint>
  +         <!-- Anyone with one of the listed roles may access this area -->
            <role-name>tomcat</role-name>
  -         <role-name>role1</role-name>
  +	 <role-name>role1</role-name>
         </auth-constraint>
  -
  -      <!-- No https support, later
  -          user-data-constraint>
  -         <transport-guarantee>CONFIDENTIAL</transport-guarantee>
  -      </user-data-constraint -->
       </security-constraint>
   
  +    <!-- Default login configuration uses BASIC authentication -->
  +    <login-config>
  +      <auth-method>BASIC</auth-method>
  +      <realm-name>Example Basic Authentication Area</realm-name>
  +    </login-config>
  +
  +    <!-- If you want to experiment with form-based logins, comment
  +         out the <login-config> element above and replace it with
  +         this one.  -->
  +    <!--
       <login-config>
         <auth-method>FORM</auth-method>
  -      <realm-name>examples</realm-name>
  +      <realm-name>Example Form-Based Authentication Area</realm-name>
         <form-login-config>
           <form-login-page>/jsp/security/login/login.jsp</form-login-page>
           <form-error-page>/jsp/security/login/error.jsp</form-error-page>
         </form-login-config>
       </login-config>
  +    -->
   
   </web-app>
  
  
  
  1.3       +42 -3     jakarta-tomcat/src/examples/jsp/security/protected/index.jsp
  
  Index: index.jsp
  ===================================================================
  RCS file: /home/cvs/jakarta-tomcat/src/examples/jsp/security/protected/index.jsp,v
  retrieving revision 1.2
  retrieving revision 1.3
  diff -u -r1.2 -r1.3
  --- index.jsp	2000/04/02 20:19:26	1.2
  +++ index.jsp	2000/04/06 17:49:22	1.3
  @@ -1,6 +1,45 @@
  -<!doctype html public "-//w3c//dtd html 4.0 transitional//en">
   <html>
  -<body>
  -<h1>Great, you logged in as user <%= request.getRemoteUser() %></h1>
  +<head>
  +<title>Protected Area Page</title>
  +</head>
  +<body bgcolor="white">
  +
  +You are logged in as remote user <b><%= request.getRemoteUser() %></b><br><br>
  +
  +<%
  +  if (request.getUserPrincipal() != null) {
  +%>
  +    Your user principal name is <b><%= request.getUserPrincipal().getName() %></b><br><br>
  +<%
  +  } else {
  +%>
  +    No user principal could be identified.
  +<%
  +  }
  +%>
  +
  +<%
  +  String role = request.getParameter("role");
  +  if (role == null)
  +    role = "";
  +  if (role.length() > 0) {
  +    if (request.isUserInRole(role)) {
  +%>
  +      You have been granted role <b><%= role %></b><br><br>
  +<%
  +    } else {
  +%>
  +      You have <i>not</i> been granted role <b><%= role %></b><br><br>
  +<%
  +    }
  +  }
  +%>
  +
  +To check whether your username has been granted a particular role,
  +enter it here:
  +<form method="GET">
  +<input type="text" name="role" value="<%= role %>">
  +</form>
  +
   </body>
   </html>
  
  
  
  1.13      +1 -1      jakarta-tomcat/src/share/org/apache/tomcat/request/SecurityCheck.java
  
  Index: SecurityCheck.java
  ===================================================================
  RCS file: /home/cvs/jakarta-tomcat/src/share/org/apache/tomcat/request/SecurityCheck.java,v
  retrieving revision 1.12
  retrieving revision 1.13
  diff -u -r1.12 -r1.13
  --- SecurityCheck.java	2000/04/06 06:00:45	1.12
  +++ SecurityCheck.java	2000/04/06 17:49:22	1.13
  @@ -201,7 +201,7 @@
       /** Wrong user/password
        */
       protected int errorPage( Request req, Response response ) {
  -	System.out.println("Wrong user/password");
  +	//	System.out.println("Wrong user/password");
   	return 0;
       }