tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From William Kaufman <WKauf...@viquity.com>
Subject RE: Security Questions
Date Wed, 30 May 2001 13:58:36 GMT
        <RequestInterceptor
className="org.apache.tomcat.request.AccessInterceptor"  debug="0" />
 
>From that class' javadoc:
 
 *  Access control - find if a request matches any web-resource-collection
 *  and set the "required" attributes.
 *
 *  The spec requires additive checking ( i.e. there is no "best match"
 *  defined, but "all requests that contain a request path that mathces the
 *  URL pattern in the resource collection are subject to the constraing" ).
 *
 *  In "integrated" mode this interceptor will be no-op, we'll use the
 *  web server ( assuming we can map the security to web-server equivalent
 *  concepts - I think we can do that, but need to experiment with that)

        <RequestInterceptor 
            className="org.apache.tomcat.request.SimpleRealm" 
            debug="0" />

 
>From that class' javadoc:
 
 *  Memory based realm - will authenticate and check the permissions
 *  for a request using a simple, in-memory list of users.
 *  This is for "demo" purpose only, to allow auth in standalone tomcat
 *  for developers.
 *
 *  There are no restrictions or rules on how to authenticate - you have
 *  full control over the process.

        I don't seem to have a simple xml file, should I?
 
You do: it's named $TOMCAT_HOME/conf/tomcat-users.xml .



                                                            -- Bill K.


-----Original Message-----
From: Gerry Duhig [mailto:gerryd@nectar.demon.co.uk]
Sent: Wednesday, May 30, 2001 4:00 AM
To: tomcat-user@jakarta.apache.org
Subject: Security Questions


Hi!
 
I have Tomcat setup, actually running with JBoss, and I am looking at
security.
 
I can setup an application with a login-conf in web.xml, but I cannot see
who or what handles that. Is it Tomcat directly, or some loaded subsystem?
 
In detail: In my server.xml file I have the following:
 
        <RequestInterceptor
className="org.apache.tomcat.request.AccessInterceptor"  debug="0" />
 
What is this actually saying or doing?
 
I also have:
 
        <!-- Check permissions using the simple xml file. You can 
             plug more advanced authentication modules.
          -->
        <RequestInterceptor 
            className="org.apache.tomcat.request.SimpleRealm" 
            debug="0" />
  
Same question! What's it for, what's it do? I don't seem to have a simple
xml file, should I?
 
Gerry
 


Mime
View raw message