tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Carl Walker <walke...@georgetown.edu>
Subject Re: problems with web.xml and security
Date Tue, 17 Jun 2003 20:25:06 GMT
What happens when you take out the '/*' url-pattern?

Rosaria Silipo wrote:

> Thanks Carl,
>
> Yes, I tried to see /secure as first thing and I can see it without
> authentication.
> I tried to close browser and restart it and I still could see it.
> Maybe the problem is on the web.xml of /secure. Is it possible?
>
> -- Rosaria
>
> -----Original Message-----
> From: Carl Walker [mailto:walkerce@georgetown.edu]
> Sent: Tuesday, June 17, 2003 12:56 PM
> To: Tomcat Users List
> Subject: Re: problems with web.xml and security
>
> I just tested this and wasn't able to see /secadmin without logging-on.
> Are
> you closing the browser (possible including mail clients) between
> trials?
> If you go from hitting '/' with a successful logon to hitting '/secure',
> you
> won't get a second challange.
>
> -Carl
>
>     <web-resource-collection>
>       <web-resource-name>SecadminJsps</web-resource-name>
>       <url-pattern>/*</url-pattern>
>       <url-pattern>/secadmin/*</url-pattern>
>     </web-resource-collection>
>     <auth-constraint>
>       <role-name>secadmin</role-name>
>     </auth-constraint>
>   </security-constraint>
>
> Rosaria Silipo wrote:
>
> > The second.
> > I can see the files even without having authenticated.
> > The funny part is that it works correctly for /* and for
> sub-directories
> > that I have not yet created.
> >
> > -- Rosaria
> >
> > -----Original Message-----
> > From: Carl Walker [mailto:walkerce@georgetown.edu]
> > Sent: Tuesday, June 17, 2003 11:37 AM
> > To: Tomcat Users List
> > Subject: Re: problems with web.xml and security
> >
> > In which way doesn't it work?  Are you prohibited from viewing the
> files
> > after logging in or can you see the files even if you haven't
> > authenticated?
> >
> > -Carl
> >
> > Rosaria Silipo wrote:
> >
> > > Hi,
> > >
> > > I am trying to set up Tomcat as a secure web engine.
> > > From the tutorial I understood that you should insert the following
> > > lines in web.xml and the password protection should work.
> > >
> > > This works perfectly for files in the root directory (/*), it does
> not
> > > work for files in subdirectories, like /secure/*.
> > >
> > > Have you have ever seen this problem before?
> > >
> > > Thanks for any help
> > >
> > > -- Rosaria
> > >
> > > <!DOCTYPE web-app
> > >     PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN"
> > >     "http://java.sun.com/dtd/web-app_2_3.dtd">
> > >
> > > <web-app>
> > > ...
> > >
> > > <!-- SECURITY CONSTRAINT -->
> > > <security-constraint>
> > >   <web-resource-collection>
> > >      <web-resource-name>Secure Pages</web-resource-name>
> > >      <description>Security constraint on all files</description>
> > >      <url-pattern>/*</url-pattern>
> > >      <url-pattern>/secure/*</url-pattern>
> > >      <http-method>POST</http-method>
> > >      <http-method>GET</http-method>
> > >   </web-resource-collection>
> > >
> > >   <auth-constraint>
> > >     <description>admin can login</description>
> > >      <role-name>admin</role-name>
> > >   </auth-constraint>
> > >
> > >    <user-data-constraint>
> > >      <description>SSL not required</description>
> > >      <transport-guarantee>NONE</transport-guarantee>
> > >    </user-data-constraint>
> > > </security-constraint>
> > >
> > > <session-config>
> > >    <session-timeout>30</session-timeout>
> > > </session-config>
> > >
> > > <!-- LOGIN AUTHENTICATION -->
> > >
> > > <login-config>
> > >   <auth-method>FORM</auth-method>
> > >   <realm-name>default</realm-name>
> > >   <form-login-config>
> > >     <form-login-page>/LoginForm.html</form-login-page>
> > >     <form-error-page>/LoginError.html</form-error-page>
> > >   </form-login-config>
> > >
> > > </login-config>
> > >
> > > <!-- SECURITY ROLES -->
> > >
> > > <security-role>
> > >    <description>The most secure role</description>
> > >    <role-name>admin</role-name>
> > > </security-role>
> > >
> > > </web-app>
> > >
> > > -- Rosaria
> > >
> > >
> ---------------------------------------------------------------------
> > > To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> > > For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> > For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> > For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org


Mime
View raw message