tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From David.Paw...@rnib.org.uk
Subject RE: web.xml security configuration.
Date Thu, 09 Sep 2004 07:23:31 GMT
Thanks for getting back to me Ruth;
 I've been three days with this now. 

    -----Original Message-----
    From: Ruth, Brice 

    >question.
    >   I'm assuming these are 'part of' the repository app? Is 
    that right?
    >   What should the uri-pattern be for these?
    >   Again the browse path will be
    >http://localhost/repository/upload/index.html
    >I want to have different security requirements for upload 
    and search.
    >If I have the security constraint on repository defined with 
    >url-pattern of /*, I'm thinking that will cover all the 
    descendents of 
    >the repository directory? Is that wrong?
  
    
    That's a correct assumption. You should be able to do what 
    you're wanting to do, the main thing to understand is that 
    if you need to set a granular constraint, say for 
    /repository/search/index.html, then you need to access that 
    page as such.
yes, for testing I'm using
http://localhost/repository/search/index.html 
 I have no mapping for these since they are simple html files.

    On the other hand, if you want to take 
    advantage of index files, then a security constraint in the 
    form of /repository/search/ should work (no wildcard "*" at 
    the end). Its really just a pattern/glob match that takes 
    place to determine if a security constraint should be 
    invoked or not. This last pattern should only be invoked 
    for /repository/search/, not for anything else.
So it would not impact
   /repository/search/otherFile.html ? And no other child directories?
That's a relief. 


    Same goes 
    if you have one tied to /repository/. I would advise that 
    you add an additional URL-pattern for the actual index file 
    as well, otherwise, if that file is accessed directly, then 
    the security constraint will not be invoked.

Yes, I've tried that. No success.
I've reverted to the $catalina-home/conf/tomcat-users.xml
to take out the mySQL loop too. Still no success.

Could someone provide a (simple) example of the 
<security-constraint>
  ..
   <url-pattern> 
vs
the $catalina-home/webapps/X structure please.
I can't find any examples other than a single app
using appname/* as the url-pattern.
 With 3 roles. admin, read, rwrite and 
/webapps
 /repository     admin|read|rwrite
   /admin        admin only
   /search       admin|read|rwrite
   /upload       admin|rwrite
All use index.html.
I think the url-patterns are:

     <url-pattern>/repository/admin/index.html</url-pattern>
  <http-method>GET</http-method>
      <http-method>POST</http-method>
      <http-method>PUT</http-method>
      <http-method>DELETE</http-method>
  <auth-constraint>
      <role-name>admin</role-name>
    </auth-constraint>

    <url-pattern>/repository/upload/*</url-pattern>
     ditto 
       <auth-constraint>
      <role-name>rwrite</role-name>
      <role-name>admin</role-name>
    </auth-constraint>

   <url-pattern>/repository/search/*</url-pattern>
    ....
   <auth-constraint>
      <role-name>admin</role-name>
      <role-name>rwrite</role-name>
      <role-name>read</role-name>
    </auth-constraint>

Anything wrong with these?
*must* I use wildcards/globbing when I'm using defaults
(index.html, index.jsp or whatever?)


regards DaveP

-- 
DISCLAIMER: 

NOTICE: The information contained in this email and any attachments is 
confidential and may be privileged. If you are not the intended 
recipient you should not use, disclose, distribute or copy any of the 
content of it or of any attachment; you are requested to notify the 
sender immediately of your receipt of the email and then to delete it 
and any attachments from your system. 

RNIB endeavours to ensure that emails and any attachments generated by 
its staff are free from viruses or other contaminants. However, it 
cannot accept any responsibility for any  such which are transmitted.
We therefore recommend you scan all attachments. 

Please note that the statements and views expressed in this email and 
any attachments are those of the author and do not necessarily represent 
those of RNIB. 

RNIB Registered Charity Number: 226227 

Website: http://www.rnib.org.uk 

---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org


Mime
View raw message