tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jon Skeet" <jon.sk...@peramon.com>
Subject Security *and* servlets together... what's wrong?
Date Fri, 29 Sep 2000 13:38:12 GMT
I'm extremely confused and disappointed at the moment. Either I'm doing
something stupid, or Tomcat 3.1 is being very broken.

My problem is quite simple: I have two servlets, infconfig and appconfig.
I wish to restrict access to both of them to administrators. Here's the
relevant section of web.xml:

<servlet>
        <servlet-name>appconfig</servlet-name>
... rest of stuff to do with the servlet - no security bits ...
</servlet>

<servlet>
        <servlet-name>appconfig</servlet-name>
... rest of stuff to do with the servlet - no security bits ...
</servlet>

    <servlet-mapping>
        <servlet-name>infconfig</servlet-name>
        <url-pattern>/infconfig/*</url-pattern>
    </servlet-mapping>

    <servlet-mapping>
        <servlet-name>appconfig</servlet-name>
        <url-pattern>/appconfig/*</url-pattern>
    </servlet-mapping>

    <security-constraint>
      <web-resource-collection>
        <web-resource-name>Configuration</web-resource-name>
        <url-pattern>/infconfig/*</url-pattern>
        <url-pattern>/appconfig/*</url-pattern>
      </web-resource-collection>
      <auth-constraint>
        <role-name>administrator</role-name>
      </auth-constraint>
    </security-constraint>

With web.xml that way round, I get the security effects - but when I've
cleared security, it acts as though I didn't have a servlet at all.
/appconfig/ is mapped straight to /index.html, and the same with infconfig.

Now if I move the security constraint bit *above* the servlet mappings,
I get the reverse effect - the servlet is invoked, but there's no security.

Am I going about this in entirely the wrong way?

Jon

Mime
View raw message