tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Warren Pace <wap...@bellsouth.net>
Subject Re: Re: access control
Date Fri, 07 Apr 2006 01:06:57 GMT

> 
> From: "Zohar" <david_fire4@hotmail.com>
> Date: 2006/04/06 Thu AM 11:46:27 EDT
> To: "Tomcat Users List" <users@tomcat.apache.org>, 
> 	<tomcat-user@jakarta.apache.org>
> Subject: Re: access control
> 
> Can I grant access to some jsp pages and deny access to others (in the same 
> context)?
> 
Yes.  I've done it by creating a subdirectory within the webapp and placing those jsps I only
want admin users to access inside that folder and adding the security constraint to web.xml.
Here's a snippet
<security-constraint>
    <web-resource-collection>
       <web-resource-name>UserArea</web-resource-name>
       <url-pattern>/</url-pattern>
       <http-method>GET</http-method>
       <http-method>POST</http-method>
    </web-resource-collection>
    <auth-constraint>
      <role-name>standard_user</role-name>
      <role-name>admin_user</role-name>
    </auth-constraing>
</security-constrant>
<security-constraint>
    <web-resource-collection>
      <web-resource-name>AdminArea</web-resource-name>
      <url-pattern>/admin/*</url-pattern>
      <http-method>GET</http-method>
      <http-method>POST</http-method>
    </web-resource-collection>
    <auth-constraint>
      <role-name>admin_user</role-name>
    </auth-constraint>
</security-constraint>
There may be a better way, but I was in a hurry....

> ----- Original Message ----- 
> From: "Markus Schönhaber" <mailing-tomcat-user@schoenhaber.de>
> To: "Tomcat Users List" <users@tomcat.apache.org>
> Sent: Thursday, April 06, 2006 17:23
> Subject: Re: access control
> 
> 
> > Zohar wrote:
> >> I have a few servlets which are deployed to different contexts (each
> >> servlet to its own context). One of these servlets acts as an interface 
> >> to
> >> clients, and it forwards the requests from clients to the appropriate
> >> servlets. I don't want any of the non-interface servlets to be accessible
> >> to clients (but they must still be accessible to the interface servlet).
> >> How do I do that?
> >
> > You could, for example, use a Remote Address Filter or a Remote Host 
> > Filter
> > for the contexts you don't want to be accessible:
> > http://tomcat.apache.org/tomcat-5.5-doc/config/valve.html#Remote%20Address%20Filter
> >
> > But would you mind to elaborate a little why you put servlets into 
> > contexts
> > you don't want to be accessible or why it is neccessary for those
> > "non-interface servlets" to be servlets at all?
> >
> > Regards
> >  mks
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> > For additional commands, e-mail: users-help@tomcat.apache.org
> >
> > 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
> 
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message