tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Steve Millington" <ruelg...@yahoo.com>
Subject Re: <security-constraint> issue
Date Tue, 15 Aug 2000 08:30:36 GMT
I found this problem (or one like it) when I tried using security. I solved
it by moving to the Beta version of Tomcat. It looks like there was a
problem, but in the beta it is OK.

Steve

----- Original Message -----
From: Chris Bush
To: tomcat-user@jakarta.apache.org
Sent: Monday, August 14, 2000 7:13 PM
Subject: <security-constraint> issue


Hello, I am running Tomcat 3.1 on a RedHat Linux 6.1 system, as well as on a
(gasp) Windows 2000 system.  The problem I am having is not unique to either
system.  I was attempting to set up a security constraint in my web app, and
using the Tomcat example as a reference - i.e.
http://localhost:8080/examples/jsp/security/protected

This example's <security-constraint> and <login-config> sections are
configured by default as part of the Tomcat installation, in the web.xml
file for the examples context, as follows...

    <security-constraint>
      <web-resource-collection>
         <web-resource-name>Protected Area</web-resource-name>
  <!-- Define the context-relative URL(s) to be protected -->
         <url-pattern>/jsp/security/protected/*</url-pattern>
  <!-- If you list http methods, only those methods are protected -->
  <http-method>DELETE</http-method>
         <http-method>GET</http-method>
         <http-method>POST</http-method>
  <http-method>PUT</http-method>
      </web-resource-collection>
      <auth-constraint>
         <!-- Anyone with one of the listed roles may access this area -->
         <role-name>tomcat</role-name>
  <role-name>role1</role-name>
      </auth-constraint>
    </security-constraint>

    <!-- Default login configuration uses BASIC authentication -->
    <login-config>
      <auth-method>BASIC</auth-method>
      <realm-name>Example Basic Authentication Area</realm-name>
    </login-config>

    <!-- If you want to experiment with form-based logins, comment
         out the <login-config> element above and replace it with
         this one.  Note that we are currently using a nonstandard
         authentication method, because the code to support form
         based login is incomplete and only lightly tested.  -->
    <!--
    <login-config>
      <auth-method>EXPERIMENTAL_FORM</auth-method>
      <realm-name>Example Form-Based Authentication Area</realm-name>
      <form-login-config>
        <form-login-page>/jsp/security/login/login.jsp</form-login-page>
        <form-error-page>/jsp/security/login/error.jsp</form-error-page>
      </form-login-config>
    </login-config>
    -->

My problem is this - After authenticating to the BASIC authentication
request, instead of delivering the index.jsp page in
/examples/jsp/security/protected, it delivers me to the root directory of
the examples context.  This happens regardless of which platform I run the
example on.  I configured a security-constraint section in the web.xml file
for a custom context I added to my server, as follows...

    <security-constraint>
      <web-resource-collection>
         <web-resource-name>Protected Area</web-resource-name>
  <!-- Define the context-relative URL(s) to be protected -->
         <url-pattern>/secure/*</url-pattern>
  <!-- If you list http methods, only those methods are protected -->
  <http-method>DELETE</http-method>
         <http-method>GET</http-method>
         <http-method>POST</http-method>
  <http-method>PUT</http-method>
      </web-resource-collection>
      <auth-constraint>
         <!-- Anyone with one of the listed roles may access this area -->
         <role-name>admin</role-name>
      </auth-constraint>
    </security-constraint>

with the same exact login-config section as the above example, and had the
same problem.  Note that the only difference in the <security-constraint>
section is the <url-pattern> specified.  Is there something that should go
in the <web-resource-collection> besides the <url-pattern> to prevent this
"re-mapping" back to the application's root directory?

Thanks in advance for any insight provided...
Chris Bush



__________________________________________________
Do You Yahoo!?
Talk to your friends online with Yahoo! Messenger.
http://im.yahoo.com

Mime
View raw message