tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ed banfa <e_ba...@yahoo.com>
Subject Re: Help Urgently needed, Security problem
Date Fri, 27 Sep 2002 13:48:23 GMT

Hey Rick,
Man ur da BOMB, yes it work!!!!!. Thanks a lot.
Now its back to da labs to see my baby(tomcat), be right back with more quetions
thanks bro
Edward
 Rick Fincher wrote:Hi Ed,

You have a couple of problems. First, you left out the user data constraint
transport guarantee tag that forces Tomcat to use HTTPS. A security
constraint has to have 3 things: 1- the web resource collection describing
what to protect, 2- the authorization constraint describing who gets access,
and 3- the user data constraint telling how to protect it at the transport
level. Since you mentioned that you set up port 8443 I presume you want to
use secure HTTP, so the transport guarantee has to be set to CONFIDENTIAL.
Use NONE for no encryption or INTEGRAL to prevent changes in data but not
necessarily to prevent observation of the data during transport.

One note: Port 8443 isn't the default HTTPS port. It is the default in
Tomcat so that you can do development without interfering with the
production port. If you don't change this to 443 you'll have to put the
port number (8443) in your web address to access this webapp.

One other thing that might cause a problem in your web.xml file: you had
your login config out of order. It comes before security role. Some
parsers are picky about that.

The order from the servlet 2.3 specification is:


distributable?, context-param*, filter*, filter-mapping*,

listener*, servlet*, servlet-mapping*, session-config?, mimemapping*,

welcome-file-list?, error-page*, taglib*, resourceenv-

ref*, resource-ref*, security-constraint*, login-config?,

security-role*, env-entry*, ejb-ref*, ejb-local-ref*)>

A corrected web.xml file is below. Hope this helps.

Rick

> 
>
> 
>
> 
>
> 
>
> Secure Area
>
> 
>
> /secure/*
>
> 
>
> 
>
> manager
>
> tomcat
>
> 



CONFIDENTIAL




> 




BASIC

User Basic Authentication




> 
>
> manager
>
> 
>
>
> 

----- Original Message -----
From: "ed banfa" 
To: 
Sent: Thursday, September 26, 2002 3:23 PM
Subject: Help Urgently needed, Security problem


> Hi ,
>
> How is everyone doing, hope ok.
>
> I have this problem with trying to use Basic authentication with my web
app. I have Tomcat 4.1.10 up and running on win 2000 machine using j2sdk1.4.
>
> Tomcat is listening on port 8443 for SSL connnections. I would like the
browser to display a login box to the user when the user attempts to access
a protected resource. When I try to check/test the app, It allows me into
the restricted area with out having to log in. I expect to be promted to
enter a user name and a password but hey nothing like thats happens. What am
I doing wrong????.
>
>
>
> Please if u can help me out I will appreciate it
>
> Below is what my web.xml looks like. The manager role is the same role
name I specified in tomcat-users.xml
>
> 
>
> 
>
> 
>
> 
>
> Secure Area
>
> 
>
> /secure/*
>
> 
>
> 
>
> manager
>
> tomcat
>
> 
>
> 
>
> 
>
> manager
>
> 
>
> 
>
> BASIC
>
> User Basic Authentication
>
> 
>
> 
>
>
>
> Thanks in advance
>
> Edward
>
>
>
>
>
>
>
> ---------------------------------
> Do you Yahoo!?
> New DSL Internet Access from SBC & Yahoo!


--
To unsubscribe, e-mail: 
For additional commands, e-mail: 



---------------------------------
Do you Yahoo!?
New DSL Internet Access from SBC & Yahoo!
Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message