tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Bill Barker" <wbar...@wilshire.com>
Subject Re: security constraints in tomcat 4.1.30
Date Sat, 04 Jun 2005 02:15:48 GMT
Along with what Mark said, you should know that TC 4.1.30 stops checking 
after the *first* matching constraint (so in your case, the '/*' always 
wins).  Try reversing the order of your constraints in web.xml.

As Mark mentioned, this has changed in TC 5.x, and your web.xml should work 
as written.

"Angela Stempfel" <hippie@netlabs.org> wrote in message 
news:429FFE67.5030803@netlabs.org...
> Hello all
>
> I have a problem concerning Tomcat 4.1.30. In web.xml i defined several 
> security constraint. First of all I protected the whole application and 
> then I excluded the directories with images and css files. Furthermore I 
> defined some roles.
>
> <pre>
> <security-constraint>
> <display-name>TCE GUI</display-name>
> <web-resource-collection>
> <web-resource-name>WEBGui Area</web-resource-name>
> <!-- Define the context-relative URL(s) to be protected -->
> <url-pattern>/*</url-pattern>
> </web-resource-collection>
> <auth-constraint>
> <!-- Anyone with one of the listed roles may access this area -->
> <role-name>*</role-name>
> </auth-constraint>
> </security-constraint>
>
> <security-constraint>
> <web-resource-collection>
> <web-resource-name>Images and CSS Not Protected</web-resource-name>
> <url-pattern>/images/*</url-pattern>
> <url-pattern>/css/*</url-pattern>
> <http-method>GET</http-method>
> <http-method>HEAD</http-method>
> </web-resource-collection>
> </security-constraint>
>
> <security-constraint>
> <display-name>DSLAM Configuration</display-name>
> <web-resource-collection>
> <web-resource-name>
> Access to DSLAM Configuration
> </web-resource-name>
> <url-pattern>/DslamConfig/*</url-pattern>
> </web-resource-collection>
> <auth-constraint>
> <role-name>dslamConfig</role-name>
> </auth-constraint>
> </security-constraint>
> <login-config>
> <auth-method>FORM</auth-method>
> <form-login-config>
> <form-login-page>/login.jsp</form-login-page>
> <form-error-page>/login-error.jsp</form-error-page>
> </form-login-config>
> </login-config>
>
> <security-role>
> <role-name>dslamConfig</role-name>
> </security-role>
> </pre>
>
> So my problem is that this works fine with Tomcat 5.0 but not with Tomcat 
> 4.1.30. If I go to the login page, the stylesheet and images are not found 
> when running the Application with version 4.1.30. Also the Security 
> Constraints are not working correctly, this means that a user that hasn't 
> the role "dslamConfig" is able to enter the following URL: /DslamConfig/*
>
> Has anyone some ideas?
>
> Thanks a lot
> Angela 




---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org


Mime
View raw message