Peder Pedersen wrote: > Hi Neil, > > My impression is that the tomcat-users.xml authorization mechanism is > in an "early stage" condition. Anyway, you set up the users with > password and roles, like: > > > > > > You can also specify a comma-delimited list of roles, if the user is authorized for more than one of them. > > Then you set up your web application authorization constraints in the > web application deployment descriptor (webappl/WEB-INF/web.xml). Check > out the Servlet specification, and the web.xml DTD file in particular. > For a very simple example, use something like: > > > > Admin Pages > /admin/* > GET > POST > > > admin > > > > > FORM > > login.html > login.html > > > For Tomcat 3.1, you will want to use BASIC authentication. Form-based authentication is not yet completely implemented. If you're using BASIC, you don't actually need the element. > > > admin > > > The login page in this example should have the format as specified in > the specification; something like: > > > > Security crap. > > >
> Username
> Password
>
>
> > > Note that the values specified here for action, and the names of the username and password fields, are not arbitrary -- they are required by the spec so that the servlet container can recognize them when you use form-based authentication. > > Now, if you try to acccess a page in the admin folder, you are > automatically forwarded to the login page first. > Btw, I seem to recall that someone had looked into LDAP integration... > > Best regards, > - Peder > Craig McClanahan