tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <>
Subject Re: Tomcat Built-in WinAuth - NEW THREAD
Date Tue, 05 Mar 2013 00:48:24 GMT
Hash: SHA256


On 3/4/13 4:54 PM, Chris Fors wrote:
>> Date: Mon, 4 Mar 2013 23:32:34 +0100 From: To:
>> Subject: Re: Tomcat Built-in WinAuth -
>> Mark Thomas wrote:
>>> On 04/03/2013 21:47, Chris Fors wrote:
>>>> Could you please expand on what constraints you were
>>>> referring to
>>> Security constraints in web.xml
>>>> and how they are best implemented, where, and in what syntax
>>>> e.g. if implemented in web.xml what are the correct tags.
>>> All defined in  the Servlet spec.
>>>> If implemented in web.xml what are the correct tags. I have
>>>> not found this clarified anywhere, yet.
>>> Again, see the servlet spec.
>> You will find an example in the "manager" webapp that comes with
>> Tomcat. Look at (tomcat)/webapps/manager/WEB-INF/web.xml, parts
>> like this :
>> <security-constraint> <web-resource-collection> 
>> <web-resource-name>HTML Manager interface (for
>> humans)</web-resource-name> <url-pattern>/html/*</url-pattern>

>> </web-resource-collection> <auth-constraint> 
>> <role-name>manager-gui</role-name> </auth-constraint> 
>> </security-constraint>
>> In not-quite-technical terms :
>> The above, present at the level of the webapp, specifies a "role"
>> which the authenticated user must have, in order to be able to
>> access this part of the webapp. To determine if the user has that
>> role, Tomcat must first know the user. This is what "triggers"
>> the authentication mechanism. If nothing forces Tomcat to
>> authenticate the user of this webapp, the authentication method
>> may well be specified, but it will not be invoked.
> Was hoping to not have to hunt through the complete JSR 315
> specification.  I will give the  constraint model above a shot
> tomorrow. Thanks, Chris

Honestly, it's like 3 pages of reading, most of which is tables and
examples. Reading the servlet spec (it's not your average spec: mere
mortals *can* read and understand it) should be required in order to
develop web applications.

- -chris
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools -
Comment: Using GnuPG with Thunderbird -


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message