tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jonathan Eric Miller" <jemil...@uchicago.edu>
Subject Bug in basic HTTP authentication/resource protection in Tomcat 3.1?
Date Wed, 19 Jul 2000 20:03:53 GMT
It may just be the case that I don't know what I'm doing, but, I noticed
something that I think may be a bug with regard to protecting resources in
Tomcat.

I was playing around witht he web.xml file used for the ROOT Web application
trying to see if I could make it so that users would have to authenticate
via basic HTTP authentication in order to access the SnoopServlet. The
web.xml file that I'm using is listed below.

It seems to work fine (i.e. it prompts me for a password) if I access it
using the following URL.

http://localhost:8080/servlet/SnoopServlet

However, I noticed that if I append a slash after it (entered it on
accident), I'm able to access the servlet without having to authenticate.

http://localhost:8080/servlet/SnoopServlet/

Also, I noticed that it works correctly for URLs like the following.

http://localhost:8080/servlet/SnoopServlet?var1=value1

Jon

P.S. I'm not actually subscribed to this list, so, please CC
jemiller@uchicago.edu with any responses. Thanks.

<?xml version="1.0" encoding="ISO-8859-1"?>

<!DOCTYPE web-app
    PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.2//EN"
    "http://java.sun.com/j2ee/dtds/web-app_2.2.dtd">

<web-app>
    <security-constraint>
      <web-resource-collection>
         <web-resource-name>Protected Area</web-resource-name>
  <!-- Define the context-relative URL(s) to be protected -->
         <url-pattern>/servlet/SnoopServlet</url-pattern>
  <!-- If you list http methods, only those methods are protected -->
  <http-method>DELETE</http-method>
         <http-method>GET</http-method>
         <http-method>POST</http-method>
  <http-method>PUT</http-method>
      </web-resource-collection>
      <auth-constraint>
         <!-- Anyone with one of the listed roles may access this area -->
         <role-name>tomcat</role-name>
  <role-name>role1</role-name>
      </auth-constraint>
    </security-constraint>

    <!-- Default login configuration uses BASIC authentication -->
    <login-config>
      <auth-method>BASIC</auth-method>
      <realm-name>Example Basic Authentication Area</realm-name>
    </login-config>
</web-app>



Mime
View raw message