tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Robert Taylor" <rtay...@mulework.com>
Subject RE: [newbie] Container Managed Security - preventing direct accessto .jsp
Date Tue, 14 Dec 2004 20:13:59 GMT
Yes. That would be an alternative approach.
However, I want to use CMS (Container Managed Security) to protect direct access to .jsp pages.
This should be possible as per the Servlet specification.

/robert

> -----Original Message-----
> From: Ben Souther [mailto:bsouther@fwdco.com]
> Sent: Tuesday, December 14, 2004 1:16 PM
> To: Tomcat Users List
> Subject: RE: [newbie] Container Managed Security - preventing direct
> accessto .jsp
> 
> 
> Filters are portable.
> 
> 
> 
> On Tue, 2004-12-14 at 12:32, Robert Taylor wrote:
> > Ping...
> > 
> > Please let me know if this questions is just too obvious
> > and I'll gladly RTFM...even more. And yes, I know this list
> > is not here just to serve _my_ interests.
> > 
> > It just seems like a common idiom to provide a portable mechanism
> > for protecting direct access to .jsp so as to enforce access through
> > some controller. I have in the past placed .jsp files "behind" WEB-INF,
> > but I don't believe that is portable and would like to use CMS to achieve
> > this.
> > 
> > Thanks again.
> > 
> > /robert
> > 
> > 
> > > -----Original Message-----
> > > From: Robert Taylor [mailto:rtaylor@mulework.com]
> > > Sent: Monday, December 13, 2004 8:59 PM
> > > To: tomcat-user@jakarta.apache.org
> > > Subject: [newbie] Container Managed Security - preventing direct access
> > > to .jsp
> > > 
> > > 
> > > Greetings, 
> > > 
> > > I'm new to Tomcat and this mailing list, and have a question
> > > regarding configuring Tomcat to simply disallow access to .jsp pages
> > > which I have been protected via the <security-constraint/> in my web
app
> > > web.xml file.
> > > 
> > > >From what I understand, the following should do the trick and cause
> > > a 403 error to be sent to the browser by the container. I would like
> > > to trap that error code and display a user friendly page (I chose any page
> > > so I would know it's working).
> > > 
> > > I've simply modified the Tomcat jsp-examples web app. Here's a snippet
> > > of the necessary artifacts in the web.xml file.
> > > 
> > > 
> > > 
> > > <error-page>
> > >     <error-code>403</error-code>
> > >     <location>/dates/date.jsp</location>
> > > </error-page>
> > > 
> > > <security-constraint>
> > >       <display-name>Example Security Constraint</display-name>
> > >       <web-resource-collection>
> > >          <web-resource-name>Protected Area</web-resource-name>
> > >          <url-pattern>/security/protected/*</url-pattern>
> > > 	</web-resource-collection>
> > > </security-constraint>
> > > 
> > > 
> > > I believe the constraint is working, but I don't think the 
> > > <error-page/> is "catching" the 403 status code. This is probably
> > > because a 403 status code is not returned, but rather a 200 (I verified
> > > this by looking at the response headers).
> > > 
> > > Anyhow, the content of the returned page is below within the <content/>:
> > > 
> > > 
> > > <content>
> > > You are logged in as remote user null in session D97EE937BEC953A7E82E42B3956AED86
> > > 
> > > No user principal could be identified.
> > > 
> > > To check whether your username has been granted a particular role, enter it
here:
> > > 
> > > 
> > > If you have configured this app for form-based authentication, you can log
off by 
> > > clicking here. This should cause you to be returned to the logon page after
the 
> > > redirect that is performed.
> > > </content>
> > > 
> > > I'm sure this has happened to someone else, I just cannot find where.
> > > I googled and didn't come up with much. I searched the archives using
> > > "You are logged in as remote user null in session" and no matches were
> > > found.
> > > 
> > > Any help would be greatly appreciated.
> > > 
> > > /robert
> > > 
> > > 
> > >  
> > > 
> > > ---------------------------------------------------------------------
> > > To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> > > For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> > > 
> > > 
> > 
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> > For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> > 
> > 
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> 
> 

---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org


Mime
View raw message