tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ben Souther <bsout...@fwdco.com>
Subject RE: [newbie] Container Managed Security - preventing direct access to .jsp
Date Tue, 14 Dec 2004 18:16:16 GMT
Filters are portable.



On Tue, 2004-12-14 at 12:32, Robert Taylor wrote:
> Ping...
> 
> Please let me know if this questions is just too obvious
> and I'll gladly RTFM...even more. And yes, I know this list
> is not here just to serve _my_ interests.
> 
> It just seems like a common idiom to provide a portable mechanism
> for protecting direct access to .jsp so as to enforce access through
> some controller. I have in the past placed .jsp files "behind" WEB-INF,
> but I don't believe that is portable and would like to use CMS to achieve
> this.
> 
> Thanks again.
> 
> /robert
> 
> 
> > -----Original Message-----
> > From: Robert Taylor [mailto:rtaylor@mulework.com]
> > Sent: Monday, December 13, 2004 8:59 PM
> > To: tomcat-user@jakarta.apache.org
> > Subject: [newbie] Container Managed Security - preventing direct access
> > to .jsp
> > 
> > 
> > Greetings, 
> > 
> > I'm new to Tomcat and this mailing list, and have a question
> > regarding configuring Tomcat to simply disallow access to .jsp pages
> > which I have been protected via the <security-constraint/> in my web app
> > web.xml file.
> > 
> > >From what I understand, the following should do the trick and cause
> > a 403 error to be sent to the browser by the container. I would like
> > to trap that error code and display a user friendly page (I chose any page
> > so I would know it's working).
> > 
> > I've simply modified the Tomcat jsp-examples web app. Here's a snippet
> > of the necessary artifacts in the web.xml file.
> > 
> > 
> > 
> > <error-page>
> >     <error-code>403</error-code>
> >     <location>/dates/date.jsp</location>
> > </error-page>
> > 
> > <security-constraint>
> >       <display-name>Example Security Constraint</display-name>
> >       <web-resource-collection>
> >          <web-resource-name>Protected Area</web-resource-name>
> >          <url-pattern>/security/protected/*</url-pattern>
> > 	</web-resource-collection>
> > </security-constraint>
> > 
> > 
> > I believe the constraint is working, but I don't think the 
> > <error-page/> is "catching" the 403 status code. This is probably
> > because a 403 status code is not returned, but rather a 200 (I verified
> > this by looking at the response headers).
> > 
> > Anyhow, the content of the returned page is below within the <content/>:
> > 
> > 
> > <content>
> > You are logged in as remote user null in session D97EE937BEC953A7E82E42B3956AED86
> > 
> > No user principal could be identified.
> > 
> > To check whether your username has been granted a particular role, enter it here:
> > 
> > 
> > If you have configured this app for form-based authentication, you can log off by

> > clicking here. This should cause you to be returned to the logon page after the

> > redirect that is performed.
> > </content>
> > 
> > I'm sure this has happened to someone else, I just cannot find where.
> > I googled and didn't come up with much. I searched the archives using
> > "You are logged in as remote user null in session" and no matches were
> > found.
> > 
> > Any help would be greatly appreciated.
> > 
> > /robert
> > 
> > 
> >  
> > 
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> > For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> > 
> > 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> 
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org


Mime
View raw message