Thank you both. Removing the <auth-constraint/> element quickly solved
the problem for me. So far, I have not run into any MSIE problems with
this solution, hopefully my luck will continue. (By default, users will
be given https:// links anyway, the redirection is only for those who
might accidentally enter via http://.)
Glen
Bill Barker wrote:
> Yeah, you need to delete the entire <auth-constraint>...</auth-constraint>
> to allow everyone. However, for MSIE, you may still get problems due to the
> restricted caching headers that Tomat adds.
>
> "Filip Hanik - Dev Lists" <devlists@hanik.com> wrote in message
> news:44F7639F.6060902@hanik.com...
>
>><role-name>*</role-name> <!-- even though I have no roles configured
-->
>>
>>the "*" means all the roles that you have defined in web.xml, since you
>>haven't defined any roles in web.xml, there is nothing to authenticate,
>>hence its gonna deny the request
>>
>>Filip
>>
>>
>>Glen Mazza wrote:
>>
>>>Hello,
>>>
>>>I have developed a simple web application running on Tomcat that asks for
>>>a database username and password and then returns a report in PDF. I'm
>>>*not* using any of Tomcat's security features for this--no roles for
>>>example.
>>>
>>>In testing it has been running fine on HTTP, but I would like it to be
>>>using HTTPS/SSL for production use, and ideally, be redirecting any user
>>>HTTP requests to HTTPS. So I created a new keystore and activated the
>>>HTTPS/SSL connector in the server.xml file. I also added the following
>>>security constraint to the web.xml of my web application in order to
>>>force a redirect from HTTP to HTTPS should the user enter the former:
>>>
>>> <security-constraint>
>>> <web-resource-collection>
>>> <web-resource-name>thewholeapp</web-resource-name>
>>> <url-pattern>/*</url-pattern>
>>> <http-method>GET</http-method>
>>> <http-method>POST</http-method>
>>> </web-resource-collection>
>>> <auth-constraint>
>>> <role-name>*</role-name> <!-- even though I have no
roles
>>>configured -->
>>> </auth-constraint>
>>> <user-data-constraint>
>>> <transport-guarantee>CONFIDENTIAL</transport-guarantee>
>>> </user-data-constraint>
>>> </security-constraint>
>>>
>>>The redirection to the HTTPS page is working, but the HTTPS page itself
>>>is failing--I keep getting 403 error messages: "Access to the requested
>>>resource has been denied". Note I am *not* doing any form of container
>>>authentication--that may be the problem, as I'm relying on the DB
>>>connection string within my web application to authenticate into the
>>>database. I get the same message if I go to the https:// URL directly
>>>and not via redirection.
>>>
>>>How can I get Tomcat to let every user access the HTTPS URL login page
>>>(letting the database continue to handle the subsequent authentication
>>>into the DB), preferably while still allowing for the automatic
>>>redirection from HTTP to HTTPS as listed in the above
>>><security-constraint/>?
>>>
>>>Thanks,
>>>Glen
>>>
>>>---------------------------------------------------------------------
>>>To start a new topic, e-mail: users@tomcat.apache.org
>>>To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>For additional commands, e-mail: users-help@tomcat.apache.org
>>>
>>>
>>
>>
>>---------------------------------------------------------------------
>>To start a new topic, e-mail: users@tomcat.apache.org
>>To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
>
>
>
>
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
|