tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Craig R. McClanahan" <Craig.McClana...@eng.sun.com>
Subject Re: tomcat-users.xml
Date Fri, 14 Apr 2000 16:05:54 GMT


Peder Pedersen wrote:

> Hi Neil,
>
> My impression is that the tomcat-users.xml authorization mechanism is
> in an "early stage" condition. Anyway, you set up the users with
> password and roles, like:
>
> <tomcat-users>
>   <user name="tomcat" password="tomcat" roles="tomcat" />
>   <user name="admin" password="nimda" roles="admin" />
> </tomcat-users>
>

You can also specify a comma-delimited list of roles, if the user is authorized
for more than one of them.

>
> Then you set up your web application authorization constraints in the
> web application deployment descriptor (webappl/WEB-INF/web.xml). Check
> out the Servlet specification, and the web.xml DTD file in particular.
> For a very simple example, use something like:
>
>     <security-constraint>
>         <web-resource-collection>
>             <web-resource-name>Admin Pages</web-resource-name>
>             <url-pattern>/admin/*</url-pattern>
>             <http-method>GET</http-method>
>             <http-method>POST</http-method>
>         </web-resource-collection>
>         <auth-constraint>
>             <role-name>admin</role-name>
>         </auth-constraint>
>    </security-constraint>
>
>     <login-config>
>         <auth-method>FORM</auth-method>
>         <form-login-config>
>             <form-login-page>login.html</form-login-page>
>             <form-error-page>login.html</form-error-page>
>         </form-login-config>
>     </login-config>
>

For Tomcat 3.1, you will want to use BASIC authentication.  Form-based
authentication is not yet completely implemented.  If you're using BASIC, you
don't actually need the <form-login-config> element.

>
>     <security-role>
>         <role-name>admin</role-name>
>     </security-role>
>
> The login page in this example should have the format as specified in
> the specification; something like:
>
> <html>
> <head>
>         <title> Security crap. </title>
> </head>
> <body>
>         <form method="POST" action="j_security_check">
>                 Username <input type="text" name="j_username" size=20><br>
>                 Password <input type="password" name="j_password" size=20><br>
>                 <input type="submit" name="Login" value="Login" size=20><br>
>         </form>
> </body>
> </html>
>

Note that the values specified here for action, and the names of the username and
password fields, are not arbitrary -- they are required by the spec so that the
servlet container can recognize them when you use form-based authentication.

>
> Now, if you try to acccess a page in the admin folder, you are
> automatically forwarded to the login page first.
> Btw, I seem to recall that someone had looked into LDAP integration...
>
> Best regards,
>  - Peder
>

Craig McClanahan





Mime
View raw message