tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 6525] New: - When deploying a web-app (as WAR or directory under Web-Apps) complex security-constraint in web.xml is ignored
Date Mon, 18 Feb 2002 15:17:56 GMT
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://nagoya.apache.org/bugzilla/show_bug.cgi?id=6525>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=6525

When deploying a web-app (as WAR or directory under Web-Apps) complex security-constraint
in web.xml is ignored

           Summary: When deploying a web-app (as WAR or directory under Web-
                    Apps) complex security-constraint in web.xml is ignored
           Product: Tomcat 4
           Version: 4.0.2 Final
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: Normal
          Priority: Other
         Component: Unknown
        AssignedTo: tomcat-dev@jakarta.apache.org
        ReportedBy: edson.richter@econet-sw.com.br


When using following rules to secure a app

	<security-constraint>
		<web-resource-collection>
			<web-resource-name>Sistema Quest - Área Segura</web-
resource-name>
			<url-pattern>/seguro/index.jsp</url-pattern>
			<url-pattern>/seguro/categoria/*</url-pattern>
			<url-pattern>/seguro/edicao/*</url-pattern>
			<url-pattern>/seguro/entrevistado/*</url-pattern>
			<url-pattern>/seguro/formulario/*</url-pattern>
			<url-pattern>/seguro/itemFormulario/*</url-pattern>
			<url-pattern>/seguro/tabela/*</url-pattern>
			<url-
pattern>/servlet/br.com.econet.forme.servlet.CategoriaServlet</url-pattern>
			<url-
pattern>/servlet/br.com.econet.forme.servlet.EdicaoServlet</url-pattern>
			<url-
pattern>/servlet/br.com.econet.forme.servlet.EntrevistadoServlet</url-pattern>
			<url-
pattern>/servlet/br.com.econet.forme.servlet.FormularioServlet</url-pattern>
			<url-
pattern>/servlet/br.com.econet.forme.servlet.FormularioItemServlet</url-pattern>
			<url-
pattern>/servlet/br.com.econet.forme.servlet.ItemFormularioServlet</url-pattern>
			<url-
pattern>/servlet/br.com.econet.forme.servlet.TabelaItemServlet</url-pattern>
			<url-
pattern>/servlet/br.com.econet.forme.servlet.TabelaServlet</url-pattern>
			<http-method>GET</http-method>
			<http-method>POST</http-method>
		</web-resource-collection>
		<auth-constraint>
			<role-name>questEditor</role-name>
			<role-name>questAdministrador</role-name>
		</auth-constraint>
		<user-data-constraint>
			<transport-guarantee>NONE</transport-guarantee>
		</user-data-constraint>
	</security-constraint>
	<security-constraint>
		<web-resource-collection>
			<web-resource-name>Sistema Quest - Área Segura</web-
resource-name>
			<url-pattern>/seguro/*</url-pattern>
			<url-pattern>/servlet/*</url-pattern>
			<http-method>GET</http-method>
			<http-method>POST</http-method>
		</web-resource-collection>
		<auth-constraint>
			<role-name>questAdministrador</role-name>
		</auth-constraint>
		<user-data-constraint>
			<transport-guarantee>NONE</transport-guarantee>
		</user-data-constraint>
	</security-constraint>

I get following error when conecting with role questEditor:

Apache Tomcat/4.0.2 - HTTP Status 403 - Access to the requested resource has 
been denied

--------------------------------------------------------------------------------

type Status report

message Access to the requested resource has been denied

description Access to the specified resource (Access to the requested resource 
has been denied) has been forbidden.

And see: I have configured an <form-error-page> for <login-config>:

	<login-config>
		<auth-method>FORM</auth-method>
		<realm-name>Sistema QUEST</realm-name>
		<form-login-config>
			<form-login-page>/login.jsp</form-login-page>
			<form-error-page>/loginErro.jsp</form-error-page>
		</form-login-config>
	</login-config>

The exactly same application described here works fine with HP-AS.

--
To unsubscribe, e-mail:   <mailto:tomcat-dev-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:tomcat-dev-help@jakarta.apache.org>


Mime
View raw message