I think the problem is with release 3.1 - try moving up to 3.2.
 

Yo
 
 

Chris Bush wrote:

Hello, I am running Tomcat 3.1 on a RedHat Linux 6.1 system, as well as on a (gasp) Windows 2000 system.  The problem I am having is not unique to either system.  I was attempting to set up a security constraint in my web app, and using the Tomcat example as a reference - i.e. http://localhost:8080/examples/jsp/security/protected This example's <security-constraint> and <login-config> sections are configured by default as part of the Tomcat installation, in the web.xml file for the examples context, as follows...     <security-constraint>
      <web-resource-collection>
         <web-resource-name>Protected Area</web-resource-name>
  <!-- Define the context-relative URL(s) to be protected -->
         <url-pattern>/jsp/security/protected/*</url-pattern>
  <!-- If you list http methods, only those methods are protected -->
  <http-method>DELETE</http-method>
         <http-method>GET</http-method>
         <http-method>POST</http-method>
  <http-method>PUT</http-method>
      </web-resource-collection>
      <auth-constraint>
         <!-- Anyone with one of the listed roles may access this area -->
         <role-name>tomcat</role-name>
  <role-name>role1</role-name>
      </auth-constraint>
    </security-constraint>     <!-- Default login configuration uses BASIC authentication -->
    <login-config>
      <auth-method>BASIC</auth-method>
      <realm-name>Example Basic Authentication Area</realm-name>
    </login-config>     <!-- If you want to experiment with form-based logins, comment
         out the <login-config> element above and replace it with
         this one.  Note that we are currently using a nonstandard
         authentication method, because the code to support form
         based login is incomplete and only lightly tested.  -->
    <!--
    <login-config>
      <auth-method>EXPERIMENTAL_FORM</auth-method>
      <realm-name>Example Form-Based Authentication Area</realm-name>
      <form-login-config>
        <form-login-page>/jsp/security/login/login.jsp</form-login-page>
        <form-error-page>/jsp/security/login/error.jsp</form-error-page>
      </form-login-config>
    </login-config>
    -->My problem is this - After authenticating to the BASIC authentication request, instead of delivering the index.jsp page in /examples/jsp/security/protected, it delivers me to the root directory of the examples context.  This happens regardless of which platform I run the example on.  I configured a security-constraint section in the web.xml file for a custom context I added to my server, as follows...     <security-constraint>
      <web-resource-collection>
         <web-resource-name>Protected Area</web-resource-name>
  <!-- Define the context-relative URL(s) to be protected -->
         <url-pattern>/secure/*</url-pattern>
  <!-- If you list http methods, only those methods are protected -->
  <http-method>DELETE</http-method>
         <http-method>GET</http-method>
         <http-method>POST</http-method>
  <http-method>PUT</http-method>
      </web-resource-collection>
      <auth-constraint>
         <!-- Anyone with one of the listed roles may access this area -->
         <role-name>admin</role-name>
      </auth-constraint>
    </security-constraint> with the same exact login-config section as the above example, and had the same problem.  Note that the only difference in the <security-constraint> section is the <url-pattern> specified.  Is there something that should go in the <web-resource-collection> besides the <url-pattern> to prevent this "re-mapping" back to the application's root directory? Thanks in advance for any insight provided...Chris Bush 

--
Johan Peeters mailto:johan.peeters@alcatel.be
Software Architect - Net Commerce
Alcatel - Gen. De Wittelaan 11 A bus 1 - 2800 Mechelen - Belgium
Phone: +32 15 29 3427 Fax: +32 3 240 4800