tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ed" ...@jsq.co.uk>
Subject Security settings seemingly ignored
Date Mon, 10 Jul 2000 17:56:02 GMT
I am attempting to get tomcat to challenge for a username/password pair when
reading ANYTHING from a given directory.

To test this, I added a directory called 'secure' in the 'webapps/test'
directory.

I then modified webapps/test/WEB-INF/web.xml to look like the following:
<web-app>

<!-- servlet stuff is here, but snipped for this email -->

    <security-role>
        <role-name>tomcat</role-name>
    </security-role>

    <security-constraint>
        <web-resource-collection>
            <web-resource-name>Test Secure Stuff</web-resource-name>
            <url-pattern>/secure/*</url-pattern>
            <http-method>GET</http-method>
            <http-method>POST</http-method>
        </web-resource-collection>
        <user-data-constraint>
            <transport-guarantee>NONE</transport-guarantee>
        </user-data-constraint>
        <auth-constraint>
            <role-name>tomcat</role-name>
        </auth-constraint>
    </security-constraint>

    <login-config>
        <auth-method>BASIC</auth-method>
        <!-- <form-login-config>
                <form-login-page>logmein.html</form-login-page>
                <form-error-page>denied.html</form-error-page>
            </form-login-config> -->
    </login-config>
</web-app>

I want nothing to be available in the secure directory (and below) unless
the user is authorised (using the tomcat user found in
conf/tomcat-users.xml).
However, when I use the url http://192.168.1.2/test/secure/index.html the
flippin' page appears - no questions asked!!  uh?  was-goin-orf?

I have read through the servlet 2.2 spec umpteen times (found an
inconsistency with the examples) and tomcat seems to cheerfully ignore my
settings.

What am i doing wrong?

FYI, the commented out block was a frustrating attempt at getting form-based
authentication - I gave up and am now just trying to get basic
authentication going...

I am running:
RedHat Linux 6.2
Apache 1.3.12
Tomcat release 3.1
Blackdown JDK 1.2.2 RC4

I am now going home to cry.
Ed.

Mime
View raw message