tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 25625] New: - Security Restrictions don't apply to initial page
Date Thu, 18 Dec 2003 14:31:53 GMT
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://nagoya.apache.org/bugzilla/show_bug.cgi?id=25625>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=25625

Security Restrictions don't apply to initial page

           Summary: Security Restrictions don't apply to initial page
           Product: Tomcat 5
           Version: 5.0.16
          Platform: PC
        OS/Version: Linux
            Status: NEW
          Severity: Normal
          Priority: Other
         Component: Unknown
        AssignedTo: tomcat-dev@jakarta.apache.org
        ReportedBy: cam-cama@princetonsa.com


In Tomcat 5, if you restrict a directory in web.xml, so no user can access
without login:

<security-constraint>
 <web-resource-collection>
  <web-resource-name>common</web-resource-name>
  <url-pattern>/common/*</url-pattern>
  <http-method>POST</http-method>
  <http-method>GET</http-method>
 </web-resource-collection>
 <auth-constraint>
  <role-name>general</role-name>
 </auth-constraint>
 <user-data-constraint>
  <transport-guarantee>NONE</transport-guarantee>
 </user-data-constraint>
</security-constraint>

and you define your welcome file in that directory

<welcome-file-list>
	<welcome-file>/common/examplePage.jsp</welcome-file>
</welcome-file-list>
when you access to your application (Ex: localhost:8080/myApp) it access
directly to examplePage (forgetting the access restriction) BUT if you access
the file directly, the access restriction works
(localhost:8080/myApp/common/examplePage.jsp redirects to your login page)

---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org


Mime
View raw message