tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "mike.miller" <mike.mil...@oracle.com>
Subject Re: Structuring webapp for security
Date Tue, 09 Oct 2001 22:40:59 GMT
318pm,  Today.


----- Original Message ----- 
From: "Frank Lawlor" <frank.lawlor@athensgroup.com>
To: "Tomcat (E-mail)" <tomcat-user@jakarta.apache.org>
Sent: Tuesday, October 09, 2001 8:47 AM
Subject: Structuring webapp for security


> I am interested in people's opinion on how to address the
> following question in webapp structure regarding security.
> 
> If I use basic authentication for MyApp I can say in web.xml:
>     <security-constraint>
>       ...
>          <!-- Define the context-relative URL(s) to be protected -->
>          <url-pattern>/*</url-pattern>
>     </security-constraint>
> 
> and this will protect my entire app.  However, if I want form-based
> security and say:
>     <login-config>
>       <auth-method>FORM</auth-method>
>       <realm-name>Example Form-Based Authentication Area</realm-name>
>       <form-login-config>
>         <form-login-page>/security/login/login.jsp</form-login-page>
>         <form-error-page>/security/login/error.jsp</form-error-page>
>       </form-login-config>
>     </login-config>
> 
> Tomcat will just go into a loop trying to access the login.jsp.
> 
> What to do?
> 
> I can re-define the url-patterns to specify all paths except the one
> to /security, but this seems to create a real maintenance problem
> and potential security hole (e.g., someone adds an app directory
> and forgets to add it to the uer-pattern list.)
> 
> Am I missing some simple way of handling this?
> 
> Should Tomcat be doing something special to allow access to the 
> URLs specified in <form-login-config> without looping?
> 
> Frank Lawlor
> Athens Group, Inc.
> (512) 345-0600 x151
> Athens Group, an employee-owned consulting firm integrating technology
> strategy and software solutions.
> 
> 
> 
> 


Mime
View raw message