tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Parsons Technical Services" <parsonstechni...@earthlink.net>
Subject Re: basic security tutorial
Date Fri, 03 Dec 2004 01:32:20 GMT
http://jakarta.apache.org/tomcat/tomcat-5.5-doc/realm-howto.html
Is a start, but doesn't give a how to.
>From the web.xml for the examples with added comments.


<!--Starts the section. Located after jsp-config near end of file-->
    <security-constraint>
 <!--A description for identification by you. In real world might be 
Salesmen Area. Or Admin Only-->
     <display-name>Example Security Constraint</display-name>
     <web-resource-collection>
         <web-resource-name>Protected Area</web-resource-name>
         <!-- Define the context-relative URL(s) to be protected  (* may 
only be used at end of string)-->
         <!--Follows file structure in the app. If you need different areas 
for different people, place in peer folders.-->
         <url-pattern>/security/protected/*</url-pattern>
         <!-- If you list http methods, only those methods are protected -->
         <http-method>DELETE</http-method>
         <http-method>GET</http-method>
         <http-method>POST</http-method>
         <http-method>PUT</http-method>
      </web-resource-collection>
      <auth-constraint>
         <!-- Anyone with one of the listed roles may access this area -->
         <role-name>tomcat</role-name>
         <role-name>role1</role-name>
      </auth-constraint>
    </security-constraint>

If you had another area to protect and its location was in /security/safe 
then create another complete security-constraint and use /security/safe/* as 
the url-pattern. Then define the role-name for this area for example:

         <role-name>tomcat</role-name>
         <role-name>role2</role-name>

This allows a user of role tomcat to access both areas but only role2 can 
get pages from safe.

Then define the roles.
    <!-- Security roles referenced by this web application -->
    <security-role>
      <role-name>role1</role-name>
    </security-role>
     <security-role>
      <role-name>role2</role-name>
    </security-role>
    <security-role>
      <role-name>tomcat</role-name>
    </security-role>

Now where Tomcat goes to look up the user/password to determine the role 
depends on the method you choose as discussed in the link.

If I have foobarred something, hopefully someone will be nice and correct me 
nicely.

Doug
www.parsonstechnical.com




----- Original Message ----- 
From: "Jeff Ousley" <jousley@gmail.com>
To: <tomcat-user@jakarta.apache.org>
Sent: Thursday, December 02, 2004 3:24 PM
Subject: basic security tutorial


> hello!
>
> does anyone know if there's a tutorial or reference on how to set up
> basic security using tomcat (5.5)? i'd like to get a better
> understanding of how to secure particular pages in a webapp.
>
> thanks!
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>
>
> 



---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org


Mime
View raw message