tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Craig R. McClanahan" <Craig.McClana...@eng.sun.com>
Subject Re: Anyone got security-context working in Tomcat?
Date Fri, 29 Dec 2000 22:24:13 GMT
The examples application that comes with Tomcat has a working security constraint --
start up Tomcat and try to access

    http://localhost:8080/examples/jsp/security/protected

Just out of curiousity, is "/videosearch" the context path of your web app?  If so,
you need to change your URL pattern to

    <url-pattern>/servlet/AdminServlet</url-pattern>

because all paths within a web.xml file are supposed to be context relative.

Also, you should review the DTD for a web.xml file in the servlet spec, because it is
very picky about the order of elements.  In particular, the required order is
<security-constraint>, then <login-config>, then <security-role>.  Also,
<auth-method>
goes before <realm-name> in the <login-config> element.

Tomcat 3.x doesn't care about any of this (until you try to use a JSP page with custom
tags, but that's a long story :-), but Tomcat 4.0 and many other servlet containers
use a validating parser, and will reject the web.xml file you've got below.

Craig


Neil Aggarwal wrote:

> Craig:
>
> Is there a working example of this?
>
> Here is what I did:
> 1. I added my user to the conf/tomcat-users.xml:
> <tomcat-users>
>   <user name="tomcat" password="tomcat" roles="tomcat" />
>   <user name="role1"  password="tomcat" roles="role1"  />
>   <user name="both"   password="tomcat" roles="tomcat,role1" />
>   <user name="admin"  password="test" roles="admin" />
> </tomcat-users>
>
> 2. In my application's web.xml file, I added the following
> lines within the <web-app> tag:
>     <login-config>
>         <realm-name>Videosearch Admin</realm-name>
>         <auth-method>BASIC</auth-method>
>     </login-config>
>     <security-role>
>         <role-name>admin</role-name>
>     </security-role>
>     <security-constraint>
>         <web-resource-collection>
>             <web-resource-name>AdminServlet</web-resource-name>
>             <url-pattern>/videosearch/servlet/AdminServlet</url-pattern>
>             <http-method>GET</http-method>
>             <http-method>POST</http-method>
>         </web-resource-collection>
>         <auth-constraint>
>             <role-name>admin</role-name>
>         </auth-constraint>
>     </security-constraint>
>
> 3. I then restarted Tomcat.
>
> I still dont get a login box when I visit the URL.
>
> The logs dont have any information.
>
> Am I missing something else?
>
> Thanks,
>         Neil.
>
> > Do you also have a <login-config> element in your web.xml file?  If you do
not,
> > Tomcat has no way to know how to authenticate users, so it does not even try.
> > You could probably make a case that Tomcat should reject access by default in
> > this scenario, but this is how it currently works.
> >
> > Regarding setting up usernames and passwords -- the default configuration uses a
> > text file "conf/tomcat-users.xml" to define the valid users and their roles.
> > See comments in "conf/server.xml" for how to change to a different
> > implementation.
>
> --
> Neil Aggarwal
> JAMM Consulting, Inc. -- (972) 612-6056, http://www.JAMMConsulting.com
> Custom Internet Development -- Java, JSP, servlets, databases
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, email: tomcat-user-help@jakarta.apache.org


Mime
View raw message