tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Thomas <ma...@apache.org>
Subject Re: SPENGO config in Tomcat's web.xml
Date Fri, 08 Jun 2018 16:34:55 GMT
On 08/06/18 17:26, Randy Oun wrote:
> Hello Tomcat user group.
> 
> I am setting update Tomcat 8.5.23 with Kerberos/SPNEGO.  Since the Tomcat
> server will be only hosting one web application and we only want SPNEGO
> only on certain environments we were trying to add security contraints to
> Tomcat's web.xml instead of the application's web.xml.
> 
> Unfortunately it doesn't seem like it is taking effect.  The only change is
> is adding the app's URI context to the url-pattern in Tomcat's web.xml.
> 
> Is something misconfigured?

Yes.

The global web.xml is merged into the application web.xml for every web
application.

You want to use exactly the same URLs (no leading "/app") in the global
web.xml as you do in the application web.xml.

As an aside, configuring application specific settings in the global
web.xml is not recommended. If you ever need to deploy a second web
application you are going to have difficulties.

Mark



>  If not, what can I do to get this to work?
> 
> In TOMCAT_HOME/conf/web.xml...
> ---------------------------------------------
> 
>     <security-constraint>
>           <web-resource-collection>
>                 <web-resource-name>NoSSO</web-resource-name>
>                 <description>URIs that should not trigger
> SPNEGO</description>
>                 <url-pattern>/app/ping</url-pattern>
>                  <url-pattern>/app/ws/*</url-pattern>
>          <url-pattern>/app/service/*</url-pattern>
>           </web-resource-collection>
>         <!-- No auth-constraint means paths are accessible -->
>   </security-constraint>
>   <security-constraint>
>     <web-resource-collection>
>       <web-resource-name>SSO</web-resource-name>
>           <description>Default context path that will trigger
> Kerberos-SPNEGO SSO</description>
>       <url-pattern>/app/*</url-pattern>
>     </web-resource-collection>
>     <auth-constraint>
>       <role-name>**</role-name>
>     </auth-constraint>
>   </security-constraint>
>   <login-config>
>     <auth-method>SPNEGO</auth-method>
>     <realm-name>SPNEGO Realm</realm-name>
>   </login-config>
> 
> In app web.xml...
> -----------------------
> <!-- SF Note: Added for SSO enablement -->
>     <security-constraint>
>           <web-resource-collection>
>                 <web-resource-name>NoSSO</web-resource-name>
>                 <description>URIs that should not trigger
> SPNEGO</description>
>                 <url-pattern>/ping</url-pattern>
>                  <url-pattern>/ws/*</url-pattern>
>          <url-pattern>/service/*</url-pattern>
>           </web-resource-collection>
>         <!-- No auth-constraint means paths are accessible -->
>   </security-constraint>
>   <security-constraint>
>     <web-resource-collection>
>       <web-resource-name>SSO</web-resource-name>
>           <description>Default context path that will trigger
> Kerberos-SPNEGO SSO</description>
>       <url-pattern>/*</url-pattern>
>     </web-resource-collection>
>     <auth-constraint>
>       <role-name>**</role-name>
>     </auth-constraint>
>   </security-constraint>
>   <login-config>
>     <auth-method>SPNEGO</auth-method>
>     <realm-name>SPNEGO Realm</realm-name>
>   </login-config>
> 
> Thanks!
> 
> Randy
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message