tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Warnier ...@ice-sa.com>
Subject Re: Tomcat Built-in WinAuth - NEW THREAD
Date Mon, 04 Mar 2013 22:32:34 GMT
Mark Thomas wrote:
> On 04/03/2013 21:47, Chris Fors wrote:
>> Could you please expand on what constraints you were referring to
> 
> Security constraints in web.xml
> 
>> and how they are best implemented, where, and in what syntax e.g. if implemented
in web.xml what are the correct tags.
> 
> All defined in  the Servlet spec.
> 
>> If implemented in web.xml what are the correct tags. I have not found this clarified
anywhere, yet.
> 
> Again, see the servlet spec.

You will find an example in the "manager" webapp that comes with Tomcat.
Look at (tomcat)/webapps/manager/WEB-INF/web.xml, parts like this :

   <security-constraint>
     <web-resource-collection>
       <web-resource-name>HTML Manager interface (for humans)</web-resource-name>
       <url-pattern>/html/*</url-pattern>
     </web-resource-collection>
     <auth-constraint>
        <role-name>manager-gui</role-name>
     </auth-constraint>
   </security-constraint>

In not-quite-technical terms :

The above, present at the level of the webapp, specifies a "role" which the authenticated

user must have, in order to be able to access this part of the webapp.
To determine if the user has that role, Tomcat must first know the user. This is what 
"triggers" the authentication mechanism.
If nothing forces Tomcat to authenticate the user of this webapp, the authentication 
method may well be specified, but it will not be invoked.


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message