tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Rosaria Silipo" <rosariasil...@yahoo.com>
Subject RE: problems with web.xml and security
Date Wed, 18 Jun 2003 06:52:54 GMT


Jwsdp.log.<date>.txt does not report any error.
I do not have catalina.out.
Maybe I am using the wrong version of Tomcat?

I think my problem is that /secure has its own web.xml that overrides
the web.xml in /. How can I avoid that?

-- Rosaria

-----Original Message-----
From: news [mailto:news@main.gmane.org] On Behalf Of Bill Barker
Sent: Tuesday, June 17, 2003 11:46 PM
To: tomcat-user@jakarta.apache.org
Subject: Re: problems with web.xml and security

<servlet-mapping> and <mime-mapping> are optional elements.  If you
don't
need them, then they don't have to be there.

If you remove the <session-config>, then the rest of what is posted of
your
web.xml is valid (even if the /secure/* is implied by the /*, but that
shouldn't matter).  I'm still going to guess that there are errors in
your
log files (esp. catalina.out) that will tell you more about the problem.

If I'm wrong, then it sounds like it should be easy enough for you to
strip
down your app to something generic (e.g. I don't need to know anything
about
your proprietary  Beans), and wrap it up in a war file ("jar cf bug.war
bugapp"), and attach it to a bug report at
http://nagoya.apache.org/bugzilla.

"Rosaria Silipo" <rosariasilipo@yahoo.com> wrote in message
news:004801c33556$d1534220$930017ac@SuperTopina...
>
> I am a bit confused.
> I do not have any <servlet-mapping> or <mime-mapping> (do I need
them?)
> and I followed the order as it is in the tutorial.
> Even removing <session-config>, /secure/* is not authenticated and /*
> is.
>
> -- Rosaria
>
>
> -----Original Message-----
> From: news [mailto:news@main.gmane.org] On Behalf Of Bill Barker
> Sent: Tuesday, June 17, 2003 8:16 PM
> To: tomcat-user@jakarta.apache.org
> Subject: Re: problems with web.xml and security
>
> If you check your log files, you should see that it doesn't like your
> web.xml file because <session-config> comes after <servlet-mapping>
and
> before <mime-mapping> (which both come before <security-constraint>).
> Tomcat 4.x is picky about enforcing the order of elements in your
> web.xml
> file (TC 3.3 is as well, at least by default).  The result is that
> Tomcat
> stopped reading your file as soon as it got to the <session-config>
> line.
>
> "Rosaria Silipo" <rosariasilipo@yahoo.com> wrote in message
> news:001301c334f0$0400c2e0$930017ac@SuperTopina...
> >
> > Hi,
> >
> > I am trying to set up Tomcat as a secure web engine.
> > From the tutorial I understood that you should insert the following
> > lines in web.xml and the password protection should work.
> >
> > This works perfectly for files in the root directory (/*), it does
not
> > work for files in subdirectories, like /secure/*.
> >
> > Have you have ever seen this problem before?
> >
> > Thanks for any help
> >
> > -- Rosaria
> >
> > <!DOCTYPE web-app
> >     PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN"
> >     "http://java.sun.com/dtd/web-app_2_3.dtd">
> >
> > <web-app>
> > ...
> >
> > <!-- SECURITY CONSTRAINT -->
> > <security-constraint>
> >   <web-resource-collection>
> >      <web-resource-name>Secure Pages</web-resource-name>
> >      <description>Security constraint on all files</description>
> >      <url-pattern>/*</url-pattern>
> >      <url-pattern>/secure/*</url-pattern>
> >      <http-method>POST</http-method>
> >      <http-method>GET</http-method>
> >   </web-resource-collection>
> >
> >   <auth-constraint>
> >     <description>admin can login</description>
> >      <role-name>admin</role-name>
> >   </auth-constraint>
> >
> >    <user-data-constraint>
> >      <description>SSL not required</description>
> >      <transport-guarantee>NONE</transport-guarantee>
> >    </user-data-constraint>
> > </security-constraint>
> >
> > <session-config>
> >    <session-timeout>30</session-timeout>
> > </session-config>
> >
> > <!-- LOGIN AUTHENTICATION -->
> >
> > <login-config>
> >   <auth-method>FORM</auth-method>
> >   <realm-name>default</realm-name>
> >   <form-login-config>
> >     <form-login-page>/LoginForm.html</form-login-page>
> >     <form-error-page>/LoginError.html</form-error-page>
> >   </form-login-config>
> >
> > </login-config>
> >
> > <!-- SECURITY ROLES -->
> >
> > <security-role>
> >    <description>The most secure role</description>
> >    <role-name>admin</role-name>
> > </security-role>
> >
> > </web-app>
> >
> >
> > -- Rosaria
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org




---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org


Mime
View raw message