tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ruth, Brice" <br...@fiskars.com>
Subject Re: web.xml security configuration.
Date Wed, 08 Sep 2004 16:09:35 GMT
David.Pawson@rnib.org.uk wrote:

>in my web.xml I have
>
><servlet-mapping>
>    <servlet-name>repository</servlet-name>
>    <url-pattern>/repository</url-pattern>
>  </servlet-mapping>
>
>  <servlet-mapping>
>    <servlet-name>getit</servlet-name>
>    <url-pattern>/getit</url-pattern>
>  </servlet-mapping>
>
>I.e. its a one to one, so if I understand you correctly,
>when I browse to http://localhost/repository/index.jsp 
>my uril-pattern should be
>
> <security-constraint>
>    <web-resource-collection>
>      <web-resource-name>Read-WriteArea</web-resource-name>
>      <url-pattern>/repository/*</url-pattern>
>
>I have other (html files) in
> /webapps
>   /repository
>     /upload
>         index.html
>     /search
>         index.html
>
>question.
>   I'm assuming these are 'part of' the repository app? Is that right?
>   What should the uri-pattern be for these?
>   Again the browse path will be
>http://localhost/repository/upload/index.html 
>I want to have different security requirements for upload and search.
>If I have the security constraint on repository defined with url-pattern
>of /*, I'm thinking that will cover all the descendents of the repository
>directory? Is that wrong?
>
>regards daveP
>
Dave,

That's a correct assumption. You should be able to do what you're
wanting to do, the main thing to understand is that if you need to set a
granular constraint, say for /repository/search/index.html, then you
need to access that page as such. On the other hand, if you want to take
advantage of index files, then a security constraint in the form of
/repository/search/ should work (no wildcard "*" at the end). Its really
just a pattern/glob match that takes place to determine if a security
constraint should be invoked or not. This last pattern should only be
invoked for /repository/search/, not for anything else. Same goes if you
have one tied to /repository/. I would advise that you add an additional
URL-pattern for the actual index file as well, otherwise, if that file
is accessed directly, then the security constraint will not be invoked.

Hope this helps!
-Brice



-- 
Brice Ruth, Sr. IT Analyst
Fiskars Brands Inc
http://www.fiskarsbrands.com/

---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org


Mime
View raw message