tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Craig R. McClanahan" <>
Subject Re: Anyone got security-context working in Tomcat?
Date Fri, 29 Dec 2000 20:35:08 GMT
Neil Aggarwal wrote:

> David:
> I am trying to protect a servlet within my web application.
> I want the rest of it to be accessible except for that
> servlet.
> Based on my reading the servlet 2.3 specification, I
> added the following lines to my application's web.xml file:
>     <security-role>
>         <role-name>admin</role-name>
>     </security-role>
>     <security-constraint>
>         <web-resource-collection>
>             <web-resource-name>AdminServlet</web-resource-name>
>             <url-pattern>/videosearch/servlet/AdminServlet</url-pattern>
>             <http-method>GET</http-method>
>             <http-method>POST</http-method>
>         </web-resource-collection>
>         <auth-constraint>
>             <role-name>admin</role-name>
>         </auth-constraint>
>     </security-constraint>
> But, when I visit /videosearch/servlet/AdminServlet, I get
> the result from the servlet without it asking for a login.
> Also, I dont understand how I can set-up the password.
> Any guidance would really help.

Do you also have a <login-config> element in your web.xml file?  If you do not,
Tomcat has no way to know how to authenticate users, so it does not even try.
You could probably make a case that Tomcat should reject access by default in
this scenario, but this is how it currently works.

Regarding setting up usernames and passwords -- the default configuration uses a
text file "conf/tomcat-users.xml" to define the valid users and their roles.
See comments in "conf/server.xml" for how to change to a different

> Thanks,
>         Neil.

Craig McClanahan

View raw message