tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Robert Taylor" <>
Subject RE: [newbie] Container Managed Security - preventing direct access to .jsp
Date Tue, 14 Dec 2004 17:32:45 GMT

Please let me know if this questions is just too obvious
and I'll gladly RTFM...even more. And yes, I know this list
is not here just to serve _my_ interests.

It just seems like a common idiom to provide a portable mechanism
for protecting direct access to .jsp so as to enforce access through
some controller. I have in the past placed .jsp files "behind" WEB-INF,
but I don't believe that is portable and would like to use CMS to achieve

Thanks again.


> -----Original Message-----
> From: Robert Taylor []
> Sent: Monday, December 13, 2004 8:59 PM
> To:
> Subject: [newbie] Container Managed Security - preventing direct access
> to .jsp
> Greetings, 
> I'm new to Tomcat and this mailing list, and have a question
> regarding configuring Tomcat to simply disallow access to .jsp pages
> which I have been protected via the <security-constraint/> in my web app
> web.xml file.
> >From what I understand, the following should do the trick and cause
> a 403 error to be sent to the browser by the container. I would like
> to trap that error code and display a user friendly page (I chose any page
> so I would know it's working).
> I've simply modified the Tomcat jsp-examples web app. Here's a snippet
> of the necessary artifacts in the web.xml file.
> <error-page>
>     <error-code>403</error-code>
>     <location>/dates/date.jsp</location>
> </error-page>
> <security-constraint>
>       <display-name>Example Security Constraint</display-name>
>       <web-resource-collection>
>          <web-resource-name>Protected Area</web-resource-name>
>          <url-pattern>/security/protected/*</url-pattern>
> 	</web-resource-collection>
> </security-constraint>
> I believe the constraint is working, but I don't think the 
> <error-page/> is "catching" the 403 status code. This is probably
> because a 403 status code is not returned, but rather a 200 (I verified
> this by looking at the response headers).
> Anyhow, the content of the returned page is below within the <content/>:
> <content>
> You are logged in as remote user null in session D97EE937BEC953A7E82E42B3956AED86
> No user principal could be identified.
> To check whether your username has been granted a particular role, enter it here:
> If you have configured this app for form-based authentication, you can log off by 
> clicking here. This should cause you to be returned to the logon page after the 
> redirect that is performed.
> </content>
> I'm sure this has happened to someone else, I just cannot find where.
> I googled and didn't come up with much. I searched the archives using
> "You are logged in as remote user null in session" and no matches were
> found.
> Any help would be greatly appreciated.
> /robert
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> For additional commands, e-mail:

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message