tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Robert Taylor" <>
Subject RE: [newbie] Container Managed Security - preventing direct access to .jsp
Date Tue, 14 Dec 2004 22:49:08 GMT
Fair enough.

When I mention Container Managed Security, I am refering to
using security constraints defined in web.xml to prevent
direct access to resources.

More specifically in Section 12.8 of the 2.4 specification:

Security constraints are a declarative way of defining the protection of web content.
A security constraint associates authorization and or user data constraints with
HTTP operations on web resources. A security constraint, which is represented by
security-constraint in deployment descriptor, consists of the following elements:

  • web resource collection (web-resource-collection in deployment descriptor)
  • authorization constraint (auth-constraint in deployment descriptor)
  • user data constraint (user-data-constraint in deployment descriptor)

The HTTP operations and web resources to which a security constraint
applies (i.e. the constrained requests) are identified by one or more web resource
collections. A web resource collection consists of the following elements:

• URL patterns (url-pattern in deployment descriptor)
• HTTP methods (http-method in deployment descriptor)

An authorization constraint establishes a requirement for authentication and
names the authorization roles permitted to perform the constrained requests. A
user must be a member of at least one of the named roles to be permitted to
perform the constrained requests. The special role name “*” is a shorthand for all
role names defined in the deployment descriptor. An authorization constraint that
names no roles indicates that access to the constrained requests must not be
permitted under any circumstances.

Does this not imply that I can do what I am trying to do?


> -----Original Message-----
> From: Hassan Schroeder []
> Sent: Tuesday, December 14, 2004 5:07 PM
> To: Tomcat Users List
> Subject: Re: [newbie] Container Managed Security - preventing direct
> access to .jsp
> Robert Taylor wrote:
> > I didn't realize that was added to the 2.4 spec.
> It was in 2.3, too. I'd guess it was in the spec from the get-go,
> but don't have an older copy to hand to confirm.
> > Even so, it would be nice to know how to use CMS to achieve this.
> What is your definition of "Container Managed Security", then, if
> not this? The container prevents direct access to the resources
> placed within WEB-INF, without you having to do anything else.
> > Maybe a better way to form the question would be how do I use
> > CMS to protect .jsp pages from direct access
> as above.
>  >                                               and return a user
> > friendly page/message when a .jsp page is requested without going through
> > the controller?
> A custom 404 page should take care of it. And you can get as fancy
> with that as you like :-)
> --
> Hassan Schroeder -----------------------------
> Webtuitive Design ===  (+1) 408-938-0567   ===
>                            dream.  code.
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> For additional commands, e-mail:

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message