You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@tomcat.apache.org by Armin Lengauer <ar...@vienna.at> on 2001/08/11 00:45:15 UTC

Problem. tomcat security constraint shows no effect

Hi all,

I*m using tomcat 3.2.1 and want to require ssl for some selected servlets. SSL Connector already is setup and works.

I configured WEB-INF/web.xml according to the Sun Servlet 2.2 specification (at least I think so )
in the following way . Nevertheless it shows no effect. I can open servlet login through http and https. To my mind this web.xml tells tomcat to require https only for 
opening it.
I'm sure I need to configure something more but I don' t know what. 

Can someone please give me a hint where to go on ?

thanks a lot, Armin

<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE web-app
    PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.2//EN"
    "http://java.sun.com/j2ee/dtds/web-app_2_2.dtd">
<web-app>
    <servlet>
        <servlet-name>
            login
        </servlet-name>
        <servlet-class>
            bookshop.login
        </servlet-class>
        <load-on-startup>1</load-on-startup>
    </servlet>
    <servlet>
      <servlet-name>
          catalogue
      </servlet-name>
      <servlet-class>
          bookshop.catalogue
      </servlet-class>
      <load-on-startup>2</load-on-startup>
    </servlet>

    <servlet-mapping>
        <servlet-name>login</servlet-name>
        <url-pattern>/login</url-pattern>
    </servlet-mapping>

    <servlet-mapping>
        <servlet-name>catalogue</servlet-name>
        <url-pattern>/books/catalogue</url-pattern>
    </servlet-mapping>
	<security-constraint>
		<web-resource-collection>
			<web-resource-name>books</web-resource-name>
			<url-pattern>/login</url-pattern>
			<http-method>GET</http-method>
			<http-method>POST</http-method>
			<user-data-constraint>
				<transport-guarantee>CONFIDENTIAL</transport-guarantee>
			</user-data-constraint>
		</web-resource-collection>
	</security-constraint>
</web-app>

Re: Problem. tomcat security constraint shows no effect

Posted by "Craig R. McClanahan" <cr...@apache.org>.

A couple of questions to investigate:

* Are you running behind Apache?  If so, you need to tweak your
  mod_jk settings to pass on the fact that this request came in
  on https instead of http -- details should be in the SSL howotos.

* What URL are you accessing the login page with?  The only one
  you are protected in your security constraint is:

    http://localhost:8080/myapp/login

  but the login servlet could also get accessed via:

    http://localhost:8080/myapp/servlet/login

  because of the way the invoker servlet works.  Be sure to protect
  that path as well.

* When the login servlet is executed, does it correctly know whether
  or not it was accessed on a secure socket (regardless of whether it
  should be allowed or not)?  In other words, if you call
  request.isSecure() do you get the right answer either way?  If not,
  then the goal will be to investigate why that is true.

* That all being said, I'd try the same testing under 3.2.3 in case
  there have been patches in this area since 3.2.1.

Craig

On Sat, 11 Aug 2001, Armin Lengauer wrote:

> Hi all,
> 
> I*m using tomcat 3.2.1 and want to require ssl for some selected servlets. SSL Connector already is setup and works.
> 
> I configured WEB-INF/web.xml according to the Sun Servlet 2.2 specification (at least I think so )
> in the following way . Nevertheless it shows no effect. I can open servlet login through http and https. To my mind this web.xml tells tomcat to require https only for 
> opening it.
> I'm sure I need to configure something more but I don' t know what. 
> 
> Can someone please give me a hint where to go on ?
> 
> thanks a lot, Armin
> 
> <?xml version="1.0" encoding="ISO-8859-1"?>
> <!DOCTYPE web-app
>     PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.2//EN"
>     "http://java.sun.com/j2ee/dtds/web-app_2_2.dtd">
> <web-app>
>     <servlet>
>         <servlet-name>
>             login
>         </servlet-name>
>         <servlet-class>
>             bookshop.login
>         </servlet-class>
>         <load-on-startup>1</load-on-startup>
>     </servlet>
>     <servlet>
>       <servlet-name>
>           catalogue
>       </servlet-name>
>       <servlet-class>
>           bookshop.catalogue
>       </servlet-class>
>       <load-on-startup>2</load-on-startup>
>     </servlet>
> 
>     <servlet-mapping>
>         <servlet-name>login</servlet-name>
>         <url-pattern>/login</url-pattern>
>     </servlet-mapping>
> 
>     <servlet-mapping>
>         <servlet-name>catalogue</servlet-name>
>         <url-pattern>/books/catalogue</url-pattern>
>     </servlet-mapping>
> 	<security-constraint>
> 		<web-resource-collection>
> 			<web-resource-name>books</web-resource-name>
> 			<url-pattern>/login</url-pattern>
> 			<http-method>GET</http-method>
> 			<http-method>POST</http-method>
> 			<user-data-constraint>
> 				<transport-guarantee>CONFIDENTIAL</transport-guarantee>
> 			</user-data-constraint>
> 		</web-resource-collection>
> 	</security-constraint>
> </web-app>
> 
> 
>