tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 38221] New: - Tomcat always returns HTTP 403/Forbidden for HTTP PUT, etc
Date Wed, 11 Jan 2006 06:50:07 GMT
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG·
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=38221>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND·
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=38221

           Summary: Tomcat always returns HTTP 403/Forbidden for HTTP PUT,
                    etc
           Product: Tomcat 5
           Version: 5.0.28
          Platform: All
        OS/Version: other
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Connector:HTTP
        AssignedTo: tomcat-dev@jakarta.apache.org
        ReportedBy: ken@kensystem.com


I have tried several config variations, but cannot get any non-POST/GET method
to succeed. I am correctly overriding each method (doPut(HttpServerRequest,
HttpServletResponse), etc), in this case using a JSP (JspServlet extends
Servlet). The PUT request is well formed, and I am also passing the same
JSESSIONID cookie that allows access via GET.

This symptom occurs with a default server config, as well as adding the below
config sample to the webapp's web.xml.

	<security-constraint>
		<display-name>Example Security Constraint</display-name>
		<web-resource-collection>
			<web-resource-name>Protected Area</web-resource-name>
			<!-- Define the context-relative URL(s) to be protected -->
			<url-pattern>/*</url-pattern>
			<!-- If you list http methods, only those methods are protected -->
			<http-method>HEAD</http-method>
			<http-method>GET</http-method>
			<http-method>POST</http-method>
			<http-method>PUT</http-method>
			<http-method>DELETE</http-method>
			<http-method>TRACE</http-method>
		    <http-method>OPTIONS</http-method>
			<http-method>HEAD</http-method>
		</web-resource-collection>
		<auth-constraint>
			<!-- Anyone with one of the listed roles may access this area -->
			<role-name>tomcat</role-name>
			<role-name>role1</role-name>
		</auth-constraint>
    </security-constraint>
	
	<login-config>
		<auth-method>FORM</auth-method>
		<form-login-config>
			<form-login-page>/login.jsp</form-login-page>
			<form-error-page>/login.jsp?fail=true</form-error-page>
		</form-login-config>
	</login-config>

	<!-- Security roles referenced by this web application -->
	<security-role>
		<role-name>role1</role-name>
	</security-role>
	<security-role>
		<role-name>tomcat</role-name>
    </security-role>

My assumption is that there is a web/server.xml or System.setProperty
Security.setProperty setting that needs to be enabled, although I was not able
to locate this in the documentation.

PS - the above "<!-- If you list http methods, only those methods are protected
-->" should be changed to "<!-- If you list http methods, only those methods are
permitted -->"?? I'm not sure I undestand the current statement as it relates to
mutual exlcusion of unlisted methods, as worded...

-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message