tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From John Tangney <>
Subject HTTP BASIC Authentication
Date Wed, 03 May 2000 23:00:46 GMT

The README says 
> 5.2 Container Managed Security
> Tomcat 3.1 has an experimental implementation of container managed security,
> as described in the Servlet API Specification, version 2.2, section 11.
> Please
> note the following information about this implementation:
> - BASIC authentication appears to work correctly, but has not been
> extensively tested.  Please report any bugs you encounter here
> at <>.  The example application has
> a protected area defined at the following URL:
> http://localhost:8080/examples/jsp/security/protected
> which can be accessed by any user defined in the configuration file
> $TOMCAT_HOME/conf/tomcat-users.xml that has been granted the
> appropriate roles.

When I go to that url, my client makes me log in, so I use user='tomcat',
p/w='tomcat' as seen in the tomcat-users.xml file. So far so good.

But then I see a directory listing - apparently the contents of the
/examples directory. I was expecting to see
/examples/jsp/security/protected/index.jsp, which has something quite

I see the same directory listing whether my client browser is running on the
same host as the server or different machines. This is an 'out the box'
install of tomcat on solaris using jdk1.2.2.

What's going on here? Is there some secret redirection going on? Am I just
misunderstanding what the http BASIC authentication is doing? Or is this a


View raw message