tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Craig R. McClanahan" <>
Subject Re: Security settings seemingly ignored
Date Mon, 10 Jul 2000 18:27:14 GMT
One thing you will need to make this work is a <realm-name> element in
your <login-config>.  The text of this element is used in the dialog box
that the browser pops up, so that the user knows what they are logging
into.  Example:

        <realm-name>My Secure Test Area</realm-name>

Of course, you should also be trying this with the latest beta of Tomcat
3.2 -- there were bugs in basic authorization support in Tomcat 3.1.

Craig McClanahan

Ed wrote:

>  I am attempting to get tomcat to challenge for a username/password
> pair when reading ANYTHING from a given directory. To test this, I
> added a directory called 'secure' in the 'webapps/test' directory.I
> then modified webapps/test/WEB-INF/web.xml to look like the
> following:<web-app><!-- servlet stuff is here, but snipped for this
> email
> --><security-role><role-name>tomcat</role-name></security-role>
> Secure
> Stuff</web-resource-name><url-pattern>/secure/*</url-pattern><http-method>GET</http-method><http-method>POST</http-method></web-resource-collection><user-data-constraint><transport-guarantee>NONE</transport-guarantee></user-data-constraint><auth-constraint><role-name>tomcat</role-name></auth-constraint></security-constraint>
> <form-login-config><form-login-page>logmein.html</form-login-page><form-error-page>denied.html</form-error-page></form-login-config>
> --></login-config></web-app> I want nothing to be available in the
> secure directory (and below) unless the user is authorised (using the
> tomcat user found in conf/tomcat-users.xml).However, when I use the
> url the flippin' page
> appears - no questions asked!!  uh?  was-goin-orf?I have read through
> the servlet 2.2 spec umpteen times (found an inconsistency with the
> examples) and tomcat seems to cheerfully ignore my settings.What am i
> doing wrong?FYI, the commented out block was a frustrating attempt at
> getting form-based authentication - I gave up and am now just trying
> to get basic authentication going...I am running:RedHat Linux
> 6.2Apache 1.3.12Tomcat release 3.1Blackdown JDK 1.2.2 RC4 I am now
> going home to cry.Ed.

View raw message