tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Robin Green" <gree...@hotmail.com>
Subject Re: Two authentication bugs
Date Wed, 03 May 2000 17:28:03 GMT
I assumed that my configuration should protect all requests matching the URL 
template, whether they map to servlets or not. In fact it _does_ protect the 
.xml file - that's not the problem. The problems are as stated below.

--
Robin


"Dr. Martin Menzel (FB Physik, Uni Kaiserslautern) wrote:
>could  you protect a servlet at all with your security constraint? Or did
>you
>only try you protect XML, HTML and JSP Files?
>
>Martin
>
>----- Original Message -----
>From: "Robin Green" <greenrd@hotmail.com>
>To: <tomcat-user@jakarta.apache.org>
>Sent: Wednesday, May 03, 2000 6:56 PM
>Subject: Two authentication bugs
>
>
> > My configuration is
> >
> > Tomcat 3.1
> > Cocoon 1.7.1-dev
> > Solaris 7
> >
> > I have set up two BASIC authentication zones for development purposes in
> > build/tomcat/conf/web.xml as follows:
> >
> >     <security-constraint>
> >       <web-resource-collection>
> >          <web-resource-name>Administrator Area</web-resource-name>
> >          <!-- Define the context-relative URL(s) to be protected -->
> >          <url-pattern>/admin/*</url-pattern>
> >      </web-resource-collection>
> >       <auth-constraint>
> >          <!-- Anyone with one of the listed roles may access this area 
>-->
> >          <role-name>admin</role-name>
> >       </auth-constraint>
> >     </security-constraint>
> >
> >     <security-constraint>
> >       <web-resource-collection>
> >          <web-resource-name>Members Area</web-resource-name>
> >          <!-- Define the context-relative URL(s) to be protected -->
> >          <url-pattern>/users/*</url-pattern>
> >      </web-resource-collection>
> >       <auth-constraint>
> >          <!-- Anyone with one of the listed roles may access this area 
>-->
> >          <role-name>admin</role-name>
> >          <role-name>user</role-name>
> >       </auth-constraint>
> >     </security-constraint>
> >
> > The relevant context from server2.xml is
> >
> >         <Context path="/fyp" docBase="/home/ufs1/12/greenrd/fyp/public"
> >          debug="1"
> >          reloadable="true" />
> >
> > However, when I log in correctly:
> >
> > Bug 1: the servlet mapping which states that *.xml files are to be 
>handled
> > by Cocoon is broken inside these security zones (but not outside). 
>Instead
> > it returns the .xml file directly to Internet Explorer.
> >
> > Bug 2: http://myhost/fyp/users/foobar.xml causes Tomcat to fetch
> > ~/fyp/public/foobar.xml not ~/fyp/public/users/foobar.xml as it should. 
>So
>I
> > tried http://myhost/fyp/users/users/ and this gave me a directory 
>listing
> > starting with
> >
> > Directory Listing for: /fyp/users/users/
> > Up to: /fyp/users
> >
> >
> > which is _actually_ a directory listing for ~/fyp/public/users (it 
>should
> > have 404ed). Clearly the path for the zone is being stripped from the 
>URI,
> > which makes no sense. ( ~ indicates my home dir, /home/ufs1/12/greenrd 
>).
> >
> > There are no operating-system symbolic links involved. There is no 
>WEB-INF
> > directory under ~/fyp/public . If I create one and copy web.xml to
> > ~/fyp/public/WEB-INF and restart tomcat, same two bugs occur.
> >
> > I really don't want to reorganise all my links to work around this bug.
> > Suggestions?
> >
> > --
> > Robin
> >
> > 270+ Open Source Java links!
> >
>http://directory.mozilla.org/Computers/Programming/Languages/Java/Open_Sourc
>e/
> >
> > ________________________________________________________________________
> > Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com
> >
> >
> > 
>--------------------------------------------------------------------------
> > To unsubscribe, email: tomcat-user-unsubscribe@jakarta.apache.org
> > For additional commmands, email: tomcat-user-help@jakarta.apache.org
> >
>
>
>--------------------------------------------------------------------------
>To unsubscribe, email: tomcat-user-unsubscribe@jakarta.apache.org
>For additional commmands, email: tomcat-user-help@jakarta.apache.org
>

________________________________________________________________________
Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com


Mime
View raw message