tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Rosaria Silipo" <rosariasil...@yahoo.com>
Subject RE: problems with web.xml and security
Date Tue, 17 Jun 2003 19:34:26 GMT


The second.
I can see the files even without having authenticated.
The funny part is that it works correctly for /* and for sub-directories
that I have not yet created.

-- Rosaria

-----Original Message-----
From: Carl Walker [mailto:walkerce@georgetown.edu] 
Sent: Tuesday, June 17, 2003 11:37 AM
To: Tomcat Users List
Subject: Re: problems with web.xml and security

In which way doesn't it work?  Are you prohibited from viewing the files
after logging in or can you see the files even if you haven't
authenticated?

-Carl

Rosaria Silipo wrote:

> Hi,
>
> I am trying to set up Tomcat as a secure web engine.
> From the tutorial I understood that you should insert the following
> lines in web.xml and the password protection should work.
>
> This works perfectly for files in the root directory (/*), it does not
> work for files in subdirectories, like /secure/*.
>
> Have you have ever seen this problem before?
>
> Thanks for any help
>
> -- Rosaria
>
> <!DOCTYPE web-app
>     PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN"
>     "http://java.sun.com/dtd/web-app_2_3.dtd">
>
> <web-app>
> ...
>
> <!-- SECURITY CONSTRAINT -->
> <security-constraint>
>   <web-resource-collection>
>      <web-resource-name>Secure Pages</web-resource-name>
>      <description>Security constraint on all files</description>
>      <url-pattern>/*</url-pattern>
>      <url-pattern>/secure/*</url-pattern>
>      <http-method>POST</http-method>
>      <http-method>GET</http-method>
>   </web-resource-collection>
>
>   <auth-constraint>
>     <description>admin can login</description>
>      <role-name>admin</role-name>
>   </auth-constraint>
>
>    <user-data-constraint>
>      <description>SSL not required</description>
>      <transport-guarantee>NONE</transport-guarantee>
>    </user-data-constraint>
> </security-constraint>
>
> <session-config>
>    <session-timeout>30</session-timeout>
> </session-config>
>
> <!-- LOGIN AUTHENTICATION -->
>
> <login-config>
>   <auth-method>FORM</auth-method>
>   <realm-name>default</realm-name>
>   <form-login-config>
>     <form-login-page>/LoginForm.html</form-login-page>
>     <form-error-page>/LoginError.html</form-error-page>
>   </form-login-config>
>
> </login-config>
>
> <!-- SECURITY ROLES -->
>
> <security-role>
>    <description>The most secure role</description>
>    <role-name>admin</role-name>
> </security-role>
>
> </web-app>
>
> -- Rosaria
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org


Mime
View raw message