tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Bill Barker" <wbar...@wilshire.com>
Subject Re: Trouble understanding security constraints
Date Thu, 09 Feb 2006 04:05:20 GMT

"Alan Chandler" <alan@chandlerfamily.org.uk> wrote in message 
news:200602082320.35930.alan@chandlerfamily.org.uk...
> My normal deployment of Tomcat is behind apache2, and up to now I have 
> been
> using basic authentication defined by Apache's configuration file as to 
> who
> has access to what.
>
> I am about to implement the piece of the application that allows users to
> change their own passwords, and the administrator to set up and administer
> users.
>
> In order to develop and test the application where I am only running 
> tomcat
> (controlled via eclipse) I need to replicate the security controls I will
> eventually be putting in place via apache.
>
> given a servlet application called /usermgr, then relative to that root, I
> need url patterns /* to require that any user who has an entry in the user
> table of the JDBCRealm I am using is prompted to login, and must 
> successfully
> do so, whereas to access a url pattern of /admin/* I need to ensure that 
> the
> person who has logged in has the role of 'admin'.
>
> I think I need something like this in my web.xml file.  Have I understood 
> this
> correctly?
>

This works correctly in TC 5.x.  You need to reverse the order for TC 4.1.x 
(this is due to a change in the respective versions of the servlet spec they 
implement).

> <security-constraint>
>    <web-resource-collection>
>      <web-resource-name>
>        Valid Users
>      </web-resource-name>
>      <url-pattern> /* </url-pattern>
> </web-resource-collection>
>    <auth-constraint>
> <role-name>*</role-name>
>    </auth-constraint>
> </security-constraint>
>
> <security-constraint>
>    <web-resource-collection>
>      <web-resource-name>
>        Site Admin
>      </web-resource-name>
>      <url-pattern> /admin/* </url-pattern>
> </web-resource-collection>
>    <auth-constraint>
> <role-name>admin</role-name>
>    </auth-constraint>
> </security-constraint>
>
> but where I am stuck is with the login config
>
>  <login-config>
>    <auth-method>BASIC</auth-method>
>    <realm-name></realm-name>
>  </login-config>
>
> Is realm name just some descriptive text to prompt the user with, or has 
> it
> any other significance, and am I limited to only one user prompt for both
> security constraints?
>

The realm name is just some descriptive text to prompt the user with.  And, 
I'm afraid that you are limited to only one user prompt.

> Finally, what does security role mean within there.  ie do I need the
> following
>
>  <security-role>
>    <description>Site administrator</description>
>    <role-name>admin</role-name>
>  </security-role>
>
> and what does it acutally mean?
>

It's really more for full-blown J2EE containers, but all it means is that 
you are telling Tomcat what are the valid roles for accessing this webapp.

Note that for the latest 5.5 release (and the next 4.1 release, when it 
happens) you need a <security-role /> for each role that can access your 
webapp (this was a bug in earlier Tomcat versions :).  Alternatively, create 
a special 'myapprole', list it, and assign all of your users that role (in 
addition to any others they may have).

>
>
>
> -- 
> Alan Chandler
> http://www.chandlerfamily.org.uk
> Open Source. It's the difference between trust and antitrust. 




---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message