tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Angela Stempfel <hip...@netlabs.org>
Subject security constraints in tomcat 4.1.30
Date Fri, 03 Jun 2005 06:53:27 GMT
Hello all

I have a problem concerning Tomcat 4.1.30. In web.xml i defined several 
security constraint. First of all I protected the whole application and 
then I excluded the directories with images and css files. Furthermore I 
defined some roles.

<pre>
<security-constraint>
		<display-name>TCE GUI</display-name>
		<web-resource-collection>
			<web-resource-name>WEBGui Area</web-resource-name>
			<!-- Define the context-relative URL(s) to be protected -->
			<url-pattern>/*</url-pattern>
		</web-resource-collection>
		<auth-constraint>
			<!-- Anyone with one of the listed roles may access this area -->
			<role-name>*</role-name>
		</auth-constraint>
	</security-constraint>

	<security-constraint>
		<web-resource-collection>
			<web-resource-name>Images and CSS Not Protected</web-resource-name>
			<url-pattern>/images/*</url-pattern>
			<url-pattern>/css/*</url-pattern>
			<http-method>GET</http-method>
			<http-method>HEAD</http-method>
		</web-resource-collection>
	</security-constraint>

	<security-constraint>
		<display-name>DSLAM Configuration</display-name>
		<web-resource-collection>
			<web-resource-name>
				Access to DSLAM Configuration
			</web-resource-name>
			<url-pattern>/DslamConfig/*</url-pattern>
		</web-resource-collection>
		<auth-constraint>
			<role-name>dslamConfig</role-name>
		</auth-constraint>
	</security-constraint>
	<login-config>
		<auth-method>FORM</auth-method>
		<form-login-config>
			<form-login-page>/login.jsp</form-login-page>
			<form-error-page>/login-error.jsp</form-error-page>
		</form-login-config>
	</login-config>

	<security-role>
		<role-name>dslamConfig</role-name>
	</security-role>
</pre>

So my problem is that this works fine with Tomcat 5.0 but not with 
Tomcat 4.1.30. If I go to the login page, the stylesheet and images are 
not found when running the Application with version 4.1.30. Also the 
Security Constraints are not working correctly, this means that a user 
that hasn't the role "dslamConfig" is able to enter the following URL: 
/DslamConfig/*

Has anyone some ideas?

Thanks a lot
Angela

---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org


Mime
View raw message