-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Gordon,
Hyatt, Gordon wrote:
| The intent is as follows:
|
| For the main site: plain HTTP access
|
| For the administration and sample submission areas, require
| authentication over HTTPS
|
| Disallow DELETE and PUT methods from all areas.
[snip]
| <security-constraint>
| <display-name>Administration Methods</display-name>
| <web-resource-collection>
| <web-resource-name>admin methods</web-resource-name>
| <description/>
| <url-pattern>/admin/*</url-pattern>
| <http-method>GET</http-method>
| <http-method>POST</http-method>
| </web-resource-collection>
| <auth-constraint>
| <role-name>admin_user</role-name>
| </auth-constraint>
| <user-data-constraint>
| <transport-guarantee>CONFIDENTIAL</transport-guarantee>
| </user-data-constraint>
| </security-constraint>
That ought to fill your first 2 requirements. In order to prohibit PUT
and DELETE, you'll need another <security-condstraint> section that
specified no valid roles for the PUT and DELETE methods.
| I've also added a filter to capture all requests (/*) that checks the
| requested path; if that path is a "privileged" path (admin or
| submission), then check that the user is authenticated and within the
| specified role (as configured in the filter).
This should not be necessary; the container should already handle the
role checking (it's already configured in web.xml).
| I changed the role-name to * in the above auth-constraint and removed
| (commented out) the <login-config> section of web.xml.
Why?
| So my question is this: how do I force HTTPS on some portions of a
| Struts-based web site. With the filter, I can force authentication, but
| not the HTTPS constraint.
<user-data-constraint> should be enough to make that happen. Are you
saying that a <security-constraint> with only the <transport-guarantee>
in it is not being respected by Tomcat?
Which version? Can you post your new web.xml instead of the original one
that has since been modified?
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEARECAAYFAkf0KawACgkQ9CaO5/Lv0PBfQgCeLQFA0sJNAG7MfPoa2I52orWz
20QAnjZd1EwJIEQoBzoK/g8nFmaGGuIh
=s08N
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
|