tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ruth, Brice" <>
Subject Re: web.xml security configuration.
Date Wed, 08 Sep 2004 16:09:35 GMT wrote:

>in my web.xml I have
>    <servlet-name>repository</servlet-name>
>    <url-pattern>/repository</url-pattern>
>  </servlet-mapping>
>  <servlet-mapping>
>    <servlet-name>getit</servlet-name>
>    <url-pattern>/getit</url-pattern>
>  </servlet-mapping>
>I.e. its a one to one, so if I understand you correctly,
>when I browse to http://localhost/repository/index.jsp 
>my uril-pattern should be
> <security-constraint>
>    <web-resource-collection>
>      <web-resource-name>Read-WriteArea</web-resource-name>
>      <url-pattern>/repository/*</url-pattern>
>I have other (html files) in
> /webapps
>   /repository
>     /upload
>         index.html
>     /search
>         index.html
>   I'm assuming these are 'part of' the repository app? Is that right?
>   What should the uri-pattern be for these?
>   Again the browse path will be
>I want to have different security requirements for upload and search.
>If I have the security constraint on repository defined with url-pattern
>of /*, I'm thinking that will cover all the descendents of the repository
>directory? Is that wrong?
>regards daveP

That's a correct assumption. You should be able to do what you're
wanting to do, the main thing to understand is that if you need to set a
granular constraint, say for /repository/search/index.html, then you
need to access that page as such. On the other hand, if you want to take
advantage of index files, then a security constraint in the form of
/repository/search/ should work (no wildcard "*" at the end). Its really
just a pattern/glob match that takes place to determine if a security
constraint should be invoked or not. This last pattern should only be
invoked for /repository/search/, not for anything else. Same goes if you
have one tied to /repository/. I would advise that you add an additional
URL-pattern for the actual index file as well, otherwise, if that file
is accessed directly, then the security constraint will not be invoked.

Hope this helps!

Brice Ruth, Sr. IT Analyst
Fiskars Brands Inc

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message