tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Carl Walker <walke...@georgetown.edu>
Subject Re: problems with web.xml and security
Date Tue, 17 Jun 2003 19:56:28 GMT
I just tested this and wasn't able to see /secadmin without logging-on.  Are
you closing the browser (possible including mail clients) between trials?
If you go from hitting '/' with a successful logon to hitting '/secure', you
won't get a second challange.

-Carl

    <web-resource-collection>
      <web-resource-name>SecadminJsps</web-resource-name>
      <url-pattern>/*</url-pattern>
      <url-pattern>/secadmin/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
      <role-name>secadmin</role-name>
    </auth-constraint>
  </security-constraint>


Rosaria Silipo wrote:

> The second.
> I can see the files even without having authenticated.
> The funny part is that it works correctly for /* and for sub-directories
> that I have not yet created.
>
> -- Rosaria
>
> -----Original Message-----
> From: Carl Walker [mailto:walkerce@georgetown.edu]
> Sent: Tuesday, June 17, 2003 11:37 AM
> To: Tomcat Users List
> Subject: Re: problems with web.xml and security
>
> In which way doesn't it work?  Are you prohibited from viewing the files
> after logging in or can you see the files even if you haven't
> authenticated?
>
> -Carl
>
> Rosaria Silipo wrote:
>
> > Hi,
> >
> > I am trying to set up Tomcat as a secure web engine.
> > From the tutorial I understood that you should insert the following
> > lines in web.xml and the password protection should work.
> >
> > This works perfectly for files in the root directory (/*), it does not
> > work for files in subdirectories, like /secure/*.
> >
> > Have you have ever seen this problem before?
> >
> > Thanks for any help
> >
> > -- Rosaria
> >
> > <!DOCTYPE web-app
> >     PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN"
> >     "http://java.sun.com/dtd/web-app_2_3.dtd">
> >
> > <web-app>
> > ...
> >
> > <!-- SECURITY CONSTRAINT -->
> > <security-constraint>
> >   <web-resource-collection>
> >      <web-resource-name>Secure Pages</web-resource-name>
> >      <description>Security constraint on all files</description>
> >      <url-pattern>/*</url-pattern>
> >      <url-pattern>/secure/*</url-pattern>
> >      <http-method>POST</http-method>
> >      <http-method>GET</http-method>
> >   </web-resource-collection>
> >
> >   <auth-constraint>
> >     <description>admin can login</description>
> >      <role-name>admin</role-name>
> >   </auth-constraint>
> >
> >    <user-data-constraint>
> >      <description>SSL not required</description>
> >      <transport-guarantee>NONE</transport-guarantee>
> >    </user-data-constraint>
> > </security-constraint>
> >
> > <session-config>
> >    <session-timeout>30</session-timeout>
> > </session-config>
> >
> > <!-- LOGIN AUTHENTICATION -->
> >
> > <login-config>
> >   <auth-method>FORM</auth-method>
> >   <realm-name>default</realm-name>
> >   <form-login-config>
> >     <form-login-page>/LoginForm.html</form-login-page>
> >     <form-error-page>/LoginError.html</form-error-page>
> >   </form-login-config>
> >
> > </login-config>
> >
> > <!-- SECURITY ROLES -->
> >
> > <security-role>
> >    <description>The most secure role</description>
> >    <role-name>admin</role-name>
> > </security-role>
> >
> > </web-app>
> >
> > -- Rosaria
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> > For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org


Mime
View raw message