tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Bill Barker" <>
Subject Re: Security question
Date Wed, 18 Jun 2003 03:46:53 GMT
It can't be done (at least without hacking :).  The servlet-spec only tells
how to secure a page.  There is no concept of un-securing a page.

If you are using iPlanet+Tomcat, and the un-secure areas are all static
content, then you can configure iPlanet to serve the un-secure areas
(bypassing Tomcat's security checks).  If it works, this is probably the

Otherwise you probably would need to plug in your own custom Authenticator
that would be smart enough to un-secure some configured set of URLs.

"Bob Damato" <> wrote in message
> Security for the site I'm working with was originally done via IPlanet's
> internal security. I'd like to move to using the webapp security in
> Tomcat. Under iPlanet, the security was set up with the entire site - /*
> - being secured, then specific uri's were explicitly declared
> un-secured.
> So, essentially we have
> /*  - secured
> and say
> /errors/* - explicitly open to the public
> Is this possible to replicate using Tomcat's security? It would be
> excruciating to reorganize the site, so I'd love to avoid that.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message