tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jo" <joj...@speedlegal.com>
Subject Re: security constraints in tomcat 4.1.30
Date Sun, 05 Jun 2005 23:33:59 GMT
Hi Angela,

Not sure why it works fine with Tomcat 5 but followings is my view to the
problem with the login page.

1. The security constraint for the images and CSS tells that the GET and
HEAD methods to these resources ARE protected.
2. When you go to the login page, as it tries to get the protected images
and stylesheet, Tomcat has to redirect the request back to the login page
again.

rgds,
Jo.-

----- Original Message ----- 
From: "Angela Stempfel" <hippie@netlabs.org>
To: <tomcat-user@jakarta.apache.org>
Sent: Friday, June 03, 2005 4:53 PM
Subject: security constraints in tomcat 4.1.30


> Hello all
>
> I have a problem concerning Tomcat 4.1.30. In web.xml i defined several
> security constraint. First of all I protected the whole application and
> then I excluded the directories with images and css files. Furthermore I
> defined some roles.
>
> <pre>
> <security-constraint>
> <display-name>TCE GUI</display-name>
> <web-resource-collection>
> <web-resource-name>WEBGui Area</web-resource-name>
> <!-- Define the context-relative URL(s) to be protected -->
> <url-pattern>/*</url-pattern>
> </web-resource-collection>
> <auth-constraint>
> <!-- Anyone with one of the listed roles may access this area -->
> <role-name>*</role-name>
> </auth-constraint>
> </security-constraint>
>
> <security-constraint>
> <web-resource-collection>
> <web-resource-name>Images and CSS Not Protected</web-resource-name>
> <url-pattern>/images/*</url-pattern>
> <url-pattern>/css/*</url-pattern>
> <http-method>GET</http-method>
> <http-method>HEAD</http-method>
> </web-resource-collection>
> </security-constraint>
>
> <security-constraint>
> <display-name>DSLAM Configuration</display-name>
> <web-resource-collection>
> <web-resource-name>
> Access to DSLAM Configuration
> </web-resource-name>
> <url-pattern>/DslamConfig/*</url-pattern>
> </web-resource-collection>
> <auth-constraint>
> <role-name>dslamConfig</role-name>
> </auth-constraint>
> </security-constraint>
> <login-config>
> <auth-method>FORM</auth-method>
> <form-login-config>
> <form-login-page>/login.jsp</form-login-page>
> <form-error-page>/login-error.jsp</form-error-page>
> </form-login-config>
> </login-config>
>
> <security-role>
> <role-name>dslamConfig</role-name>
> </security-role>
> </pre>
>
> So my problem is that this works fine with Tomcat 5.0 but not with
> Tomcat 4.1.30. If I go to the login page, the stylesheet and images are
> not found when running the Application with version 4.1.30. Also the
> Security Constraints are not working correctly, this means that a user
> that hasn't the role "dslamConfig" is able to enter the following URL:
> /DslamConfig/*
>
> Has anyone some ideas?
>
> Thanks a lot
> Angela
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>
>
> !DSPAM:429fffc716436437214267!
>
>


---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org


Mime
View raw message