tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Andrew Robson <>
Subject Re: Need workaround for Tomcat security.
Date Mon, 16 Jul 2001 14:29:55 GMT
  No workaround I'm afraid. I can confirm that the problem
affects form - based JDBCRealm as well. Tried putting
*/admin/* into url pattern and broke security completely.
I wonder whether a JkMount directive with approriately
placed wildcards might work but haven't had time to try.
I'd be very interested if you find a solution. 
Presumably no-one on the list has one?


On Sun, 15 Jul 2001, you wrote:
> Ok, i needed to put some security constraints to a dircetory, so I added this 
> to my web.xml:
>  <security-constraint>
>       <display-name>UQoS Amin Area</display-name>
>       <web-resource-collection>
>          <web-resource-name>UQoS Amin Area</web-resource-name>
>            <url-pattern>/admin/*</url-pattern>
>       </web-resource-collection>
> I use BASIC authentication using the memory realm.
> Works like it supposed to when someone goes to my http://xxx/webapp/Admin/ or 
> something below, HOWEVER, if they type http://xxx/webapp//Admin/ (or even 
> more slashes), all security checkings are bypassed, anyone arr let right in !
> (same things happens always, try it with the 'security' example shipped with 
> Tomcat.
> Sever bug!, I have posted it to BugZilla. This applies to atleast Tomcat 
> 3.2.1 and 3.2.2. 
> And I need it fixedas soon as possible. Does anyone know a workaround to 
> thisone.(I'd rather not upgrade to Tomcat 4 yet,seems like its fixed here.)
> -- 
> Nils O. Selåsdal

Andrew Robson         

View raw message