tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Gagnon, Joseph M \(US SSA\)" <>
Subject RE: Help/Examples setting up security settings
Date Wed, 15 Jun 2005 13:31:37 GMT
Ah-ha! Everything I had read so far led me to think I needed to put
everything under ROOT. I'm glad you guys pointed that out. It makes

In the meantime, to make things simpler, I set up another "webapp"
without any of the SPID stuff I was talking about before. It's very
simple and contains nothing more than a login page (login.jsp) and login
error page (login_error.html), the "environment" page (environment.jsp)
I mentioned before and an error page (error.jsp), specified in the
"errorPage" attribute of the "page" directive of the JSP files.

The new app. sits in [tomcat]\webapps\Simple_JSP (not under ROOT any
more) and the web.xml file in the WEB-INF subdirectory has been set up
to use the correct path. I also included the security-role element Frank
mentioned below.

The <web-app> portion of web.xml looks like this:

<web-app xmlns=""

	<display-name>Simple JSP</display-name>
	<description>Simple JSP Test</description>

		<description>Security Role</description>

			<web-resource-name>Simple JSP


Of course, I set up the simple_jsp role in the tomcat-users.xml file and
added that role to my user entry.

Now that this is all said and done, I'm still getting behavior that I'm
not expecting. If I load my "environment" file into the browser
(http://localhost/Simple_JSP/environment.jsp), it comes up as though
there were no security/authentication mechanism to put up a roadblock.
The login page is never presented.

I was expecting that if I were to request any page from the Simple_JSP
area, that before anything is displayed, I would be prompted to provide
and user name and password. Isn't that what's supposed to happen?


-----Original Message-----
From: Frank W. Zammetti [] 
Sent: Tuesday, June 14, 2005 6:37 PM
To: Tomcat Users List
Subject: Re: Help/Examples setting up security settings

As Mark indicated in another post, the first problem you need to resolve

is how you have installed your webapp.  ROOT is itself a webapp, and 
although it might seem right that you want to put your webapp under it, 
that isn't the case.  Move SPID_JSP to /webapps and you should be all

One other thing I see is you are missing security role definitions in 
your web.xml.  You'll want to add something like this:


The role-name element maps to the role you created in tomcat-users.xml, 
and also maps to the security constraint's role-name element, as you 
already have.

One other thing... the order of elements in web.xml is usually 
important.  I think newer versions of Tomcat allow you to put things in 
any order you want (as one would expect with XML!), but earlier versions

had a more restrictive DTD.  You should see an error message when you 
start Tomcat if this is going to be a problem.  Just wanted to warn you 
about it is you see it later.


Gagnon, Joseph M (US SSA) wrote:
> OK, now I'm more confused. First some background (for those of you who
> haven't seen the entire history).
> 1.	I have defined a role and added myself as a user in that role to
> the tomcat-users.xml file (in [tomcat install dir]/conf). The role is
> defined as "spid_jsp". (SPID is just the name of an existing
> that contains ASP files that I would like to test converting to JSP.)
> 2.	I have placed a WEB-INF directory under my test application
> directory ([tomcat install dir]/webapps/ROOT/SPID_JSP) and put a
> file in it. (SPID_JSP is where the JSP and HTML files reside.)
> 3.	That web.xml file contains the following:
> 	<web-app xmlns=""
> xmlns:xsi=""
> 	    xsi:schemaLocation="
> 		<display-name>SPID JSP Test</display-name>
> 		<description>SPID JSP Test</description>
> 		<login-config>
> 			<auth-method>FORM</auth-method>
> 			<form-login-config>
> <form-login-page>/SPID_JSP/login.jsp</form-login-page>
> <form-error-page>/SPID_JSP/login_error.html</form-error-page>
> 			</form-login-config>
> 		</login-config>
> 		<security-constraint>
> 			<web-resource-collection>
> 				<web-resource-name>SPID JSP
> Test</web-resource-name>
> 				<url-pattern>/SPID_JSP/*</url-pattern>
> 				<http-method>GET</http-method>
> 				<http-method>POST</http-method>
> 			</web-resource-collection>
> 			<auth-constraint>
> 				<role-name>spid_jsp</role-name>
> 			</auth-constraint>
> 		</security-constraint>
> 	</web-app>
> 4.	I have set up login.jsp and login_error.html files (in [tomcat
> install dir]/webapps/ROOT/SPID_JSP) to provide a login form and login
> error page, respectively. The login.jsp file specifies
> for the form action and j_username and j_password as the names of the
> user name and password fields on the form.
> 5.	I have another JSP file named environment.jsp that basically
> prints out the results from calling various methods available from
> implicit objects available (e.g. session, request, etc.). This just
> allows me to 1) display something as a JSP page and 2) show me some
> information about the environment.
> OK, my understanding (as poor as that is) of this
> authentication/security process is that based upon the setup just
> described, if I try to access a page in my SPID_JSP area, I should be
> presented with the login page. If I provide the correct user
> name/password, I should then be "logged in" and be able to see the
> I requested. If not, then I should get the login error page.
> That's not the case for me. If I enter
> http://localhost/SPID_JSP/environment.jsp in my browser, one of two
> things ends up happening (why two things, rather than just one, I have
> no idea, but it's just one more thing on my stack of don't-know-whys).
> 1.	I get the standard HTTP 500 message: "This page cannot be
> displayed." If I do a reload of the page, my environment "dump"
> magically appears (although the page header still shows "HTTP 500
> Internal server error". I can do multiple reloads and the information
> appears to be updated each time (i.e. I don't think it's coming out of
> cache). Oddly, this only seems to occur when I bring up a fresh
> and load the page directly for the first time.
> 2.	If, however, I enter just the application "root" directory (i.e.
> http://localhost/SPID_JSP) in the browser, I get a listing of the
> in that directory (The environment.jsp file is listed among them.). If
> click on its link, again I get my environment "dump", except this
> the page header shows what I expect: "Get Environment Data".
> First, why didn't I get presented with the login page? Isn't that what
> was supposed to happen?
> Second, I don't understand the dual behavior observed above. Why
> I get what happens in scenario 1? The file requested exists at the
> location specified. What gives? Why does scenario 2 allow me to access
> my page as I would expect to?
> Obviously, I don't know diddly-squat about how this technology works
> is meant to be used. Everything I try ends up either a drop dead
> or confuses me even more than I already was. There does not seem to be
> any consistency to the behaviors I've been seeing. If someone asked me
> right now whether to recommend using JSP, I'd have to say "No". I
> even get a simple test scenario to work.
> I'm trying to hold off on buying any books on the subject, because I'm
> not sure which ones would be the best to get (although I have some
> ideas) and more importantly, because I am trying to evaluate the
> technology and the feasibility (not to mention the do-ability) of
> potentially converting an existing ASP application to JSP. The books
> would be purchased through my department, and I don't want to have a
> bunch of books bought that I may end up not using, if the decision
> up being that we won't go the JSP route.
> I realize that it's difficult for someone reading this to get the full
> picture of my situation. I've tried to include all pertinent
> information.
> If anyone can help me out, I would sure appreciate it. (Thanks again
> Frank Zammetti for the information you've provided so far.)
> Thanks,
> Joe Gagnon

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message