tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Chris Bush" <shortstop...@hotmail.com>
Subject <security-constraint> issue
Date Mon, 14 Aug 2000 18:13:02 GMT
Hello, I am running Tomcat 3.1 on a RedHat Linux 6.1 system, as well as on a (gasp) Windows
2000 system.  The problem I am having is not unique to either system.  I was attempting to
set up a security constraint in my web app, and using the Tomcat example as a reference -
i.e. http://localhost:8080/examples/jsp/security/protected

This example's <security-constraint> and <login-config> sections are configured
by default as part of the Tomcat installation, in the web.xml file for the examples context,
as follows...

    <security-constraint>
      <web-resource-collection>
         <web-resource-name>Protected Area</web-resource-name>
  <!-- Define the context-relative URL(s) to be protected -->
         <url-pattern>/jsp/security/protected/*</url-pattern>
  <!-- If you list http methods, only those methods are protected -->
  <http-method>DELETE</http-method>
         <http-method>GET</http-method>
         <http-method>POST</http-method>
  <http-method>PUT</http-method>
      </web-resource-collection>
      <auth-constraint>
         <!-- Anyone with one of the listed roles may access this area -->
         <role-name>tomcat</role-name>
  <role-name>role1</role-name>
      </auth-constraint>
    </security-constraint>

    <!-- Default login configuration uses BASIC authentication -->
    <login-config>
      <auth-method>BASIC</auth-method>
      <realm-name>Example Basic Authentication Area</realm-name>
    </login-config>

    <!-- If you want to experiment with form-based logins, comment
         out the <login-config> element above and replace it with
         this one.  Note that we are currently using a nonstandard
         authentication method, because the code to support form
         based login is incomplete and only lightly tested.  -->
    <!--
    <login-config>
      <auth-method>EXPERIMENTAL_FORM</auth-method>
      <realm-name>Example Form-Based Authentication Area</realm-name>
      <form-login-config>
        <form-login-page>/jsp/security/login/login.jsp</form-login-page>
        <form-error-page>/jsp/security/login/error.jsp</form-error-page>
      </form-login-config>
    </login-config>
    -->

My problem is this - After authenticating to the BASIC authentication request, instead of
delivering the index.jsp page in /examples/jsp/security/protected, it delivers me to the root
directory of the examples context.  This happens regardless of which platform I run the example
on.  I configured a security-constraint section in the web.xml file for a custom context I
added to my server, as follows...

    <security-constraint>
      <web-resource-collection>
         <web-resource-name>Protected Area</web-resource-name>
  <!-- Define the context-relative URL(s) to be protected -->
         <url-pattern>/secure/*</url-pattern>
  <!-- If you list http methods, only those methods are protected -->
  <http-method>DELETE</http-method>
         <http-method>GET</http-method>
         <http-method>POST</http-method>
  <http-method>PUT</http-method>
      </web-resource-collection>
      <auth-constraint>
         <!-- Anyone with one of the listed roles may access this area -->
         <role-name>admin</role-name>
      </auth-constraint>
    </security-constraint>

with the same exact login-config section as the above example, and had the same problem. 
Note that the only difference in the <security-constraint> section is the <url-pattern>
specified.  Is there something that should go in the <web-resource-collection> besides
the <url-pattern> to prevent this "re-mapping" back to the application's root directory?

Thanks in advance for any insight provided...
Chris Bush


Mime
View raw message