tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From William Kaufman <>
Subject RE: Security Questions
Date Wed, 30 May 2001 13:58:36 GMT
className="org.apache.tomcat.request.AccessInterceptor"  debug="0" />
>From that class' javadoc:
 *  Access control - find if a request matches any web-resource-collection
 *  and set the "required" attributes.
 *  The spec requires additive checking ( i.e. there is no "best match"
 *  defined, but "all requests that contain a request path that mathces the
 *  URL pattern in the resource collection are subject to the constraing" ).
 *  In "integrated" mode this interceptor will be no-op, we'll use the
 *  web server ( assuming we can map the security to web-server equivalent
 *  concepts - I think we can do that, but need to experiment with that)

            debug="0" />

>From that class' javadoc:
 *  Memory based realm - will authenticate and check the permissions
 *  for a request using a simple, in-memory list of users.
 *  This is for "demo" purpose only, to allow auth in standalone tomcat
 *  for developers.
 *  There are no restrictions or rules on how to authenticate - you have
 *  full control over the process.

        I don't seem to have a simple xml file, should I?
You do: it's named $TOMCAT_HOME/conf/tomcat-users.xml .

                                                            -- Bill K.

-----Original Message-----
From: Gerry Duhig []
Sent: Wednesday, May 30, 2001 4:00 AM
Subject: Security Questions

I have Tomcat setup, actually running with JBoss, and I am looking at
I can setup an application with a login-conf in web.xml, but I cannot see
who or what handles that. Is it Tomcat directly, or some loaded subsystem?
In detail: In my server.xml file I have the following:
className="org.apache.tomcat.request.AccessInterceptor"  debug="0" />
What is this actually saying or doing?
I also have:
        <!-- Check permissions using the simple xml file. You can 
             plug more advanced authentication modules.
            debug="0" />
Same question! What's it for, what's it do? I don't seem to have a simple
xml file, should I?

View raw message