You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Rosaria Silipo <ro...@yahoo.com> on 2003/06/17 18:46:35 UTC
problems with web.xml and security
Hi,
I am trying to set up Tomcat as a secure web engine.
>From the tutorial I understood that you should insert the following
lines in web.xml and the password protection should work.
This works perfectly for files in the root directory (/*), it does not
work for files in subdirectories, like /secure/*.
Have you have ever seen this problem before?
Thanks for any help
-- Rosaria
<!DOCTYPE web-app
PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN"
"http://java.sun.com/dtd/web-app_2_3.dtd">
<web-app>
...
<!-- SECURITY CONSTRAINT -->
<security-constraint>
<web-resource-collection>
<web-resource-name>Secure Pages</web-resource-name>
<description>Security constraint on all files</description>
<url-pattern>/*</url-pattern>
<url-pattern>/secure/*</url-pattern>
<http-method>POST</http-method>
<http-method>GET</http-method>
</web-resource-collection>
<auth-constraint>
<description>admin can login</description>
<role-name>admin</role-name>
</auth-constraint>
<user-data-constraint>
<description>SSL not required</description>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<session-config>
<session-timeout>30</session-timeout>
</session-config>
<!-- LOGIN AUTHENTICATION -->
<login-config>
<auth-method>FORM</auth-method>
<realm-name>default</realm-name>
<form-login-config>
<form-login-page>/LoginForm.html</form-login-page>
<form-error-page>/LoginError.html</form-error-page>
</form-login-config>
</login-config>
<!-- SECURITY ROLES -->
<security-role>
<description>The most secure role</description>
<role-name>admin</role-name>
</security-role>
</web-app>
-- Rosaria
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
RE: problems with web.xml and security
Posted by Rosaria Silipo <ro...@yahoo.com>.
Thanks!
The SingleSignOn valve works like a charm!
-----Original Message-----
From: news [mailto:news@main.gmane.org] On Behalf Of Bill Barker
Sent: Wednesday, June 18, 2003 1:02 AM
To: tomcat-user@jakarta.apache.org
Subject: Re: problems with web.xml and security
Now we are getting somewhere ;-).
If you have a context with a path="/secure", then you need to set the
<security-constraint> (including <login-config>) in that web.xml as you
have
except that you only need to have the <url-pattern>/*</url-pattern>
(since
the url-pattern is relative to the context-path).
Note that unless you enable the SingleSignOn Valve, your logins to '/'
and
to '/secure' won't transfer from one to the other. You'll have to login
to
each one seperately.
"Rosaria Silipo" <ro...@yahoo.com> wrote in message
news:000001c33566$3ed4dde0$930017ac@SuperTopina...
>
>
> Jwsdp.log.<date>.txt does not report any error.
> I do not have catalina.out.
> Maybe I am using the wrong version of Tomcat?
>
> I think my problem is that /secure has its own web.xml that overrides
> the web.xml in /. How can I avoid that?
>
> -- Rosaria
>
> -----Original Message-----
> From: news [mailto:news@main.gmane.org] On Behalf Of Bill Barker
> Sent: Tuesday, June 17, 2003 11:46 PM
> To: tomcat-user@jakarta.apache.org
> Subject: Re: problems with web.xml and security
>
> <servlet-mapping> and <mime-mapping> are optional elements. If you
> don't
> need them, then they don't have to be there.
>
> If you remove the <session-config>, then the rest of what is posted of
> your
> web.xml is valid (even if the /secure/* is implied by the /*, but that
> shouldn't matter). I'm still going to guess that there are errors in
> your
> log files (esp. catalina.out) that will tell you more about the
problem.
>
> If I'm wrong, then it sounds like it should be easy enough for you to
> strip
> down your app to something generic (e.g. I don't need to know anything
> about
> your proprietary Beans), and wrap it up in a war file ("jar cf
bug.war
> bugapp"), and attach it to a bug report at
> http://nagoya.apache.org/bugzilla.
>
> "Rosaria Silipo" <ro...@yahoo.com> wrote in message
> news:004801c33556$d1534220$930017ac@SuperTopina...
> >
> > I am a bit confused.
> > I do not have any <servlet-mapping> or <mime-mapping> (do I need
> them?)
> > and I followed the order as it is in the tutorial.
> > Even removing <session-config>, /secure/* is not authenticated and
/*
> > is.
> >
> > -- Rosaria
> >
> >
> > -----Original Message-----
> > From: news [mailto:news@main.gmane.org] On Behalf Of Bill Barker
> > Sent: Tuesday, June 17, 2003 8:16 PM
> > To: tomcat-user@jakarta.apache.org
> > Subject: Re: problems with web.xml and security
> >
> > If you check your log files, you should see that it doesn't like
your
> > web.xml file because <session-config> comes after <servlet-mapping>
> and
> > before <mime-mapping> (which both come before
<security-constraint>).
> > Tomcat 4.x is picky about enforcing the order of elements in your
> > web.xml
> > file (TC 3.3 is as well, at least by default). The result is that
> > Tomcat
> > stopped reading your file as soon as it got to the <session-config>
> > line.
> >
> > "Rosaria Silipo" <ro...@yahoo.com> wrote in message
> > news:001301c334f0$0400c2e0$930017ac@SuperTopina...
> > >
> > > Hi,
> > >
> > > I am trying to set up Tomcat as a secure web engine.
> > > From the tutorial I understood that you should insert the
following
> > > lines in web.xml and the password protection should work.
> > >
> > > This works perfectly for files in the root directory (/*), it does
> not
> > > work for files in subdirectories, like /secure/*.
> > >
> > > Have you have ever seen this problem before?
> > >
> > > Thanks for any help
> > >
> > > -- Rosaria
> > >
> > > <!DOCTYPE web-app
> > > PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application
2.3//EN"
> > > "http://java.sun.com/dtd/web-app_2_3.dtd">
> > >
> > > <web-app>
> > > ...
> > >
> > > <!-- SECURITY CONSTRAINT -->
> > > <security-constraint>
> > > <web-resource-collection>
> > > <web-resource-name>Secure Pages</web-resource-name>
> > > <description>Security constraint on all files</description>
> > > <url-pattern>/*</url-pattern>
> > > <url-pattern>/secure/*</url-pattern>
> > > <http-method>POST</http-method>
> > > <http-method>GET</http-method>
> > > </web-resource-collection>
> > >
> > > <auth-constraint>
> > > <description>admin can login</description>
> > > <role-name>admin</role-name>
> > > </auth-constraint>
> > >
> > > <user-data-constraint>
> > > <description>SSL not required</description>
> > > <transport-guarantee>NONE</transport-guarantee>
> > > </user-data-constraint>
> > > </security-constraint>
> > >
> > > <session-config>
> > > <session-timeout>30</session-timeout>
> > > </session-config>
> > >
> > > <!-- LOGIN AUTHENTICATION -->
> > >
> > > <login-config>
> > > <auth-method>FORM</auth-method>
> > > <realm-name>default</realm-name>
> > > <form-login-config>
> > > <form-login-page>/LoginForm.html</form-login-page>
> > > <form-error-page>/LoginError.html</form-error-page>
> > > </form-login-config>
> > >
> > > </login-config>
> > >
> > > <!-- SECURITY ROLES -->
> > >
> > > <security-role>
> > > <description>The most secure role</description>
> > > <role-name>admin</role-name>
> > > </security-role>
> > >
> > > </web-app>
> > >
> > >
> > > -- Rosaria
> >
> >
> >
> >
> >
---------------------------------------------------------------------
> > To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> > For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
Re: problems with web.xml and security
Posted by Bill Barker <wb...@wilshire.com>.
Now we are getting somewhere ;-).
If you have a context with a path="/secure", then you need to set the
<security-constraint> (including <login-config>) in that web.xml as you have
except that you only need to have the <url-pattern>/*</url-pattern> (since
the url-pattern is relative to the context-path).
Note that unless you enable the SingleSignOn Valve, your logins to '/' and
to '/secure' won't transfer from one to the other. You'll have to login to
each one seperately.
"Rosaria Silipo" <ro...@yahoo.com> wrote in message
news:000001c33566$3ed4dde0$930017ac@SuperTopina...
>
>
> Jwsdp.log.<date>.txt does not report any error.
> I do not have catalina.out.
> Maybe I am using the wrong version of Tomcat?
>
> I think my problem is that /secure has its own web.xml that overrides
> the web.xml in /. How can I avoid that?
>
> -- Rosaria
>
> -----Original Message-----
> From: news [mailto:news@main.gmane.org] On Behalf Of Bill Barker
> Sent: Tuesday, June 17, 2003 11:46 PM
> To: tomcat-user@jakarta.apache.org
> Subject: Re: problems with web.xml and security
>
> <servlet-mapping> and <mime-mapping> are optional elements. If you
> don't
> need them, then they don't have to be there.
>
> If you remove the <session-config>, then the rest of what is posted of
> your
> web.xml is valid (even if the /secure/* is implied by the /*, but that
> shouldn't matter). I'm still going to guess that there are errors in
> your
> log files (esp. catalina.out) that will tell you more about the problem.
>
> If I'm wrong, then it sounds like it should be easy enough for you to
> strip
> down your app to something generic (e.g. I don't need to know anything
> about
> your proprietary Beans), and wrap it up in a war file ("jar cf bug.war
> bugapp"), and attach it to a bug report at
> http://nagoya.apache.org/bugzilla.
>
> "Rosaria Silipo" <ro...@yahoo.com> wrote in message
> news:004801c33556$d1534220$930017ac@SuperTopina...
> >
> > I am a bit confused.
> > I do not have any <servlet-mapping> or <mime-mapping> (do I need
> them?)
> > and I followed the order as it is in the tutorial.
> > Even removing <session-config>, /secure/* is not authenticated and /*
> > is.
> >
> > -- Rosaria
> >
> >
> > -----Original Message-----
> > From: news [mailto:news@main.gmane.org] On Behalf Of Bill Barker
> > Sent: Tuesday, June 17, 2003 8:16 PM
> > To: tomcat-user@jakarta.apache.org
> > Subject: Re: problems with web.xml and security
> >
> > If you check your log files, you should see that it doesn't like your
> > web.xml file because <session-config> comes after <servlet-mapping>
> and
> > before <mime-mapping> (which both come before <security-constraint>).
> > Tomcat 4.x is picky about enforcing the order of elements in your
> > web.xml
> > file (TC 3.3 is as well, at least by default). The result is that
> > Tomcat
> > stopped reading your file as soon as it got to the <session-config>
> > line.
> >
> > "Rosaria Silipo" <ro...@yahoo.com> wrote in message
> > news:001301c334f0$0400c2e0$930017ac@SuperTopina...
> > >
> > > Hi,
> > >
> > > I am trying to set up Tomcat as a secure web engine.
> > > From the tutorial I understood that you should insert the following
> > > lines in web.xml and the password protection should work.
> > >
> > > This works perfectly for files in the root directory (/*), it does
> not
> > > work for files in subdirectories, like /secure/*.
> > >
> > > Have you have ever seen this problem before?
> > >
> > > Thanks for any help
> > >
> > > -- Rosaria
> > >
> > > <!DOCTYPE web-app
> > > PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN"
> > > "http://java.sun.com/dtd/web-app_2_3.dtd">
> > >
> > > <web-app>
> > > ...
> > >
> > > <!-- SECURITY CONSTRAINT -->
> > > <security-constraint>
> > > <web-resource-collection>
> > > <web-resource-name>Secure Pages</web-resource-name>
> > > <description>Security constraint on all files</description>
> > > <url-pattern>/*</url-pattern>
> > > <url-pattern>/secure/*</url-pattern>
> > > <http-method>POST</http-method>
> > > <http-method>GET</http-method>
> > > </web-resource-collection>
> > >
> > > <auth-constraint>
> > > <description>admin can login</description>
> > > <role-name>admin</role-name>
> > > </auth-constraint>
> > >
> > > <user-data-constraint>
> > > <description>SSL not required</description>
> > > <transport-guarantee>NONE</transport-guarantee>
> > > </user-data-constraint>
> > > </security-constraint>
> > >
> > > <session-config>
> > > <session-timeout>30</session-timeout>
> > > </session-config>
> > >
> > > <!-- LOGIN AUTHENTICATION -->
> > >
> > > <login-config>
> > > <auth-method>FORM</auth-method>
> > > <realm-name>default</realm-name>
> > > <form-login-config>
> > > <form-login-page>/LoginForm.html</form-login-page>
> > > <form-error-page>/LoginError.html</form-error-page>
> > > </form-login-config>
> > >
> > > </login-config>
> > >
> > > <!-- SECURITY ROLES -->
> > >
> > > <security-role>
> > > <description>The most secure role</description>
> > > <role-name>admin</role-name>
> > > </security-role>
> > >
> > > </web-app>
> > >
> > >
> > > -- Rosaria
> >
> >
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> > For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
RE: problems with web.xml and security
Posted by Rosaria Silipo <ro...@yahoo.com>.
Jwsdp.log.<date>.txt does not report any error.
I do not have catalina.out.
Maybe I am using the wrong version of Tomcat?
I think my problem is that /secure has its own web.xml that overrides
the web.xml in /. How can I avoid that?
-- Rosaria
-----Original Message-----
From: news [mailto:news@main.gmane.org] On Behalf Of Bill Barker
Sent: Tuesday, June 17, 2003 11:46 PM
To: tomcat-user@jakarta.apache.org
Subject: Re: problems with web.xml and security
<servlet-mapping> and <mime-mapping> are optional elements. If you
don't
need them, then they don't have to be there.
If you remove the <session-config>, then the rest of what is posted of
your
web.xml is valid (even if the /secure/* is implied by the /*, but that
shouldn't matter). I'm still going to guess that there are errors in
your
log files (esp. catalina.out) that will tell you more about the problem.
If I'm wrong, then it sounds like it should be easy enough for you to
strip
down your app to something generic (e.g. I don't need to know anything
about
your proprietary Beans), and wrap it up in a war file ("jar cf bug.war
bugapp"), and attach it to a bug report at
http://nagoya.apache.org/bugzilla.
"Rosaria Silipo" <ro...@yahoo.com> wrote in message
news:004801c33556$d1534220$930017ac@SuperTopina...
>
> I am a bit confused.
> I do not have any <servlet-mapping> or <mime-mapping> (do I need
them?)
> and I followed the order as it is in the tutorial.
> Even removing <session-config>, /secure/* is not authenticated and /*
> is.
>
> -- Rosaria
>
>
> -----Original Message-----
> From: news [mailto:news@main.gmane.org] On Behalf Of Bill Barker
> Sent: Tuesday, June 17, 2003 8:16 PM
> To: tomcat-user@jakarta.apache.org
> Subject: Re: problems with web.xml and security
>
> If you check your log files, you should see that it doesn't like your
> web.xml file because <session-config> comes after <servlet-mapping>
and
> before <mime-mapping> (which both come before <security-constraint>).
> Tomcat 4.x is picky about enforcing the order of elements in your
> web.xml
> file (TC 3.3 is as well, at least by default). The result is that
> Tomcat
> stopped reading your file as soon as it got to the <session-config>
> line.
>
> "Rosaria Silipo" <ro...@yahoo.com> wrote in message
> news:001301c334f0$0400c2e0$930017ac@SuperTopina...
> >
> > Hi,
> >
> > I am trying to set up Tomcat as a secure web engine.
> > From the tutorial I understood that you should insert the following
> > lines in web.xml and the password protection should work.
> >
> > This works perfectly for files in the root directory (/*), it does
not
> > work for files in subdirectories, like /secure/*.
> >
> > Have you have ever seen this problem before?
> >
> > Thanks for any help
> >
> > -- Rosaria
> >
> > <!DOCTYPE web-app
> > PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN"
> > "http://java.sun.com/dtd/web-app_2_3.dtd">
> >
> > <web-app>
> > ...
> >
> > <!-- SECURITY CONSTRAINT -->
> > <security-constraint>
> > <web-resource-collection>
> > <web-resource-name>Secure Pages</web-resource-name>
> > <description>Security constraint on all files</description>
> > <url-pattern>/*</url-pattern>
> > <url-pattern>/secure/*</url-pattern>
> > <http-method>POST</http-method>
> > <http-method>GET</http-method>
> > </web-resource-collection>
> >
> > <auth-constraint>
> > <description>admin can login</description>
> > <role-name>admin</role-name>
> > </auth-constraint>
> >
> > <user-data-constraint>
> > <description>SSL not required</description>
> > <transport-guarantee>NONE</transport-guarantee>
> > </user-data-constraint>
> > </security-constraint>
> >
> > <session-config>
> > <session-timeout>30</session-timeout>
> > </session-config>
> >
> > <!-- LOGIN AUTHENTICATION -->
> >
> > <login-config>
> > <auth-method>FORM</auth-method>
> > <realm-name>default</realm-name>
> > <form-login-config>
> > <form-login-page>/LoginForm.html</form-login-page>
> > <form-error-page>/LoginError.html</form-error-page>
> > </form-login-config>
> >
> > </login-config>
> >
> > <!-- SECURITY ROLES -->
> >
> > <security-role>
> > <description>The most secure role</description>
> > <role-name>admin</role-name>
> > </security-role>
> >
> > </web-app>
> >
> >
> > -- Rosaria
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
Re: problems with web.xml and security
Posted by Bill Barker <wb...@wilshire.com>.
<servlet-mapping> and <mime-mapping> are optional elements. If you don't
need them, then they don't have to be there.
If you remove the <session-config>, then the rest of what is posted of your
web.xml is valid (even if the /secure/* is implied by the /*, but that
shouldn't matter). I'm still going to guess that there are errors in your
log files (esp. catalina.out) that will tell you more about the problem.
If I'm wrong, then it sounds like it should be easy enough for you to strip
down your app to something generic (e.g. I don't need to know anything about
your proprietary Beans), and wrap it up in a war file ("jar cf bug.war
bugapp"), and attach it to a bug report at
http://nagoya.apache.org/bugzilla.
"Rosaria Silipo" <ro...@yahoo.com> wrote in message
news:004801c33556$d1534220$930017ac@SuperTopina...
>
> I am a bit confused.
> I do not have any <servlet-mapping> or <mime-mapping> (do I need them?)
> and I followed the order as it is in the tutorial.
> Even removing <session-config>, /secure/* is not authenticated and /*
> is.
>
> -- Rosaria
>
>
> -----Original Message-----
> From: news [mailto:news@main.gmane.org] On Behalf Of Bill Barker
> Sent: Tuesday, June 17, 2003 8:16 PM
> To: tomcat-user@jakarta.apache.org
> Subject: Re: problems with web.xml and security
>
> If you check your log files, you should see that it doesn't like your
> web.xml file because <session-config> comes after <servlet-mapping> and
> before <mime-mapping> (which both come before <security-constraint>).
> Tomcat 4.x is picky about enforcing the order of elements in your
> web.xml
> file (TC 3.3 is as well, at least by default). The result is that
> Tomcat
> stopped reading your file as soon as it got to the <session-config>
> line.
>
> "Rosaria Silipo" <ro...@yahoo.com> wrote in message
> news:001301c334f0$0400c2e0$930017ac@SuperTopina...
> >
> > Hi,
> >
> > I am trying to set up Tomcat as a secure web engine.
> > From the tutorial I understood that you should insert the following
> > lines in web.xml and the password protection should work.
> >
> > This works perfectly for files in the root directory (/*), it does not
> > work for files in subdirectories, like /secure/*.
> >
> > Have you have ever seen this problem before?
> >
> > Thanks for any help
> >
> > -- Rosaria
> >
> > <!DOCTYPE web-app
> > PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN"
> > "http://java.sun.com/dtd/web-app_2_3.dtd">
> >
> > <web-app>
> > ...
> >
> > <!-- SECURITY CONSTRAINT -->
> > <security-constraint>
> > <web-resource-collection>
> > <web-resource-name>Secure Pages</web-resource-name>
> > <description>Security constraint on all files</description>
> > <url-pattern>/*</url-pattern>
> > <url-pattern>/secure/*</url-pattern>
> > <http-method>POST</http-method>
> > <http-method>GET</http-method>
> > </web-resource-collection>
> >
> > <auth-constraint>
> > <description>admin can login</description>
> > <role-name>admin</role-name>
> > </auth-constraint>
> >
> > <user-data-constraint>
> > <description>SSL not required</description>
> > <transport-guarantee>NONE</transport-guarantee>
> > </user-data-constraint>
> > </security-constraint>
> >
> > <session-config>
> > <session-timeout>30</session-timeout>
> > </session-config>
> >
> > <!-- LOGIN AUTHENTICATION -->
> >
> > <login-config>
> > <auth-method>FORM</auth-method>
> > <realm-name>default</realm-name>
> > <form-login-config>
> > <form-login-page>/LoginForm.html</form-login-page>
> > <form-error-page>/LoginError.html</form-error-page>
> > </form-login-config>
> >
> > </login-config>
> >
> > <!-- SECURITY ROLES -->
> >
> > <security-role>
> > <description>The most secure role</description>
> > <role-name>admin</role-name>
> > </security-role>
> >
> > </web-app>
> >
> >
> > -- Rosaria
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
RE: problems with web.xml and security
Posted by Rosaria Silipo <ro...@yahoo.com>.
I am a bit confused.
I do not have any <servlet-mapping> or <mime-mapping> (do I need them?)
and I followed the order as it is in the tutorial.
Even removing <session-config>, /secure/* is not authenticated and /*
is.
-- Rosaria
-----Original Message-----
From: news [mailto:news@main.gmane.org] On Behalf Of Bill Barker
Sent: Tuesday, June 17, 2003 8:16 PM
To: tomcat-user@jakarta.apache.org
Subject: Re: problems with web.xml and security
If you check your log files, you should see that it doesn't like your
web.xml file because <session-config> comes after <servlet-mapping> and
before <mime-mapping> (which both come before <security-constraint>).
Tomcat 4.x is picky about enforcing the order of elements in your
web.xml
file (TC 3.3 is as well, at least by default). The result is that
Tomcat
stopped reading your file as soon as it got to the <session-config>
line.
"Rosaria Silipo" <ro...@yahoo.com> wrote in message
news:001301c334f0$0400c2e0$930017ac@SuperTopina...
>
> Hi,
>
> I am trying to set up Tomcat as a secure web engine.
> From the tutorial I understood that you should insert the following
> lines in web.xml and the password protection should work.
>
> This works perfectly for files in the root directory (/*), it does not
> work for files in subdirectories, like /secure/*.
>
> Have you have ever seen this problem before?
>
> Thanks for any help
>
> -- Rosaria
>
> <!DOCTYPE web-app
> PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN"
> "http://java.sun.com/dtd/web-app_2_3.dtd">
>
> <web-app>
> ...
>
> <!-- SECURITY CONSTRAINT -->
> <security-constraint>
> <web-resource-collection>
> <web-resource-name>Secure Pages</web-resource-name>
> <description>Security constraint on all files</description>
> <url-pattern>/*</url-pattern>
> <url-pattern>/secure/*</url-pattern>
> <http-method>POST</http-method>
> <http-method>GET</http-method>
> </web-resource-collection>
>
> <auth-constraint>
> <description>admin can login</description>
> <role-name>admin</role-name>
> </auth-constraint>
>
> <user-data-constraint>
> <description>SSL not required</description>
> <transport-guarantee>NONE</transport-guarantee>
> </user-data-constraint>
> </security-constraint>
>
> <session-config>
> <session-timeout>30</session-timeout>
> </session-config>
>
> <!-- LOGIN AUTHENTICATION -->
>
> <login-config>
> <auth-method>FORM</auth-method>
> <realm-name>default</realm-name>
> <form-login-config>
> <form-login-page>/LoginForm.html</form-login-page>
> <form-error-page>/LoginError.html</form-error-page>
> </form-login-config>
>
> </login-config>
>
> <!-- SECURITY ROLES -->
>
> <security-role>
> <description>The most secure role</description>
> <role-name>admin</role-name>
> </security-role>
>
> </web-app>
>
>
> -- Rosaria
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
Re: problems with web.xml and security
Posted by Bill Barker <wb...@wilshire.com>.
If you check your log files, you should see that it doesn't like your
web.xml file because <session-config> comes after <servlet-mapping> and
before <mime-mapping> (which both come before <security-constraint>).
Tomcat 4.x is picky about enforcing the order of elements in your web.xml
file (TC 3.3 is as well, at least by default). The result is that Tomcat
stopped reading your file as soon as it got to the <session-config> line.
"Rosaria Silipo" <ro...@yahoo.com> wrote in message
news:001301c334f0$0400c2e0$930017ac@SuperTopina...
>
> Hi,
>
> I am trying to set up Tomcat as a secure web engine.
> From the tutorial I understood that you should insert the following
> lines in web.xml and the password protection should work.
>
> This works perfectly for files in the root directory (/*), it does not
> work for files in subdirectories, like /secure/*.
>
> Have you have ever seen this problem before?
>
> Thanks for any help
>
> -- Rosaria
>
> <!DOCTYPE web-app
> PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN"
> "http://java.sun.com/dtd/web-app_2_3.dtd">
>
> <web-app>
> ...
>
> <!-- SECURITY CONSTRAINT -->
> <security-constraint>
> <web-resource-collection>
> <web-resource-name>Secure Pages</web-resource-name>
> <description>Security constraint on all files</description>
> <url-pattern>/*</url-pattern>
> <url-pattern>/secure/*</url-pattern>
> <http-method>POST</http-method>
> <http-method>GET</http-method>
> </web-resource-collection>
>
> <auth-constraint>
> <description>admin can login</description>
> <role-name>admin</role-name>
> </auth-constraint>
>
> <user-data-constraint>
> <description>SSL not required</description>
> <transport-guarantee>NONE</transport-guarantee>
> </user-data-constraint>
> </security-constraint>
>
> <session-config>
> <session-timeout>30</session-timeout>
> </session-config>
>
> <!-- LOGIN AUTHENTICATION -->
>
> <login-config>
> <auth-method>FORM</auth-method>
> <realm-name>default</realm-name>
> <form-login-config>
> <form-login-page>/LoginForm.html</form-login-page>
> <form-error-page>/LoginError.html</form-error-page>
> </form-login-config>
>
> </login-config>
>
> <!-- SECURITY ROLES -->
>
> <security-role>
> <description>The most secure role</description>
> <role-name>admin</role-name>
> </security-role>
>
> </web-app>
>
>
> -- Rosaria
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
RE: problems with web.xml and security
Posted by Rosaria Silipo <ro...@yahoo.com>.
I do not necessarely want the context /secure, but I want that all files
in the directory webapp/secure are protected.
Do I still need two web.xml files?
I do I include webapp/secure into the root context?
Thanks
-- Rosaria
-----Original Message-----
From: Jon Eaves [mailto:jon@eaves.org]
Sent: Tuesday, June 17, 2003 3:52 PM
To: Tomcat Users List
Subject: Re: problems with web.xml and security
You need 2 web.xml files.
In / (or ROOT) for the context that maps to
http://my.domain.com/
and in the web application defined by the context /secure
which may be in the subdirectory webapps/secure, or it
may be webapps/secure.war, or it may be webapps/somethingelse
and have <Context> element in conf/server.xml point to the
appropriate web application.
This will map to http://my.domain.com/secure
Remember, we're talking about web applications, and *not*
directories.
So, in the web application that you have defined to be
the context /secure, put the security constraint of /*
That will apply to all file *in that context*. Different
contexts have different web.xml files. Directories are only
relevant _within_ a web application.
Cheers,
-- jon
Rosaria Silipo wrote:
>
> Sorry, my mistake!
> It worked because in the meantime I removed /secure.
> If I rebuild /secure, I can still access it without being
authenticated.
>
> Summary: I have web.xml for / and web.xml for /secure.
> Without web.xml in /secure/web/WEB-INF I can not build /secure in the
> web application.
>
> How do I include /secure in the root web application?
>
> Thanks
>
> -- Rosaria
>
>
> -----Original Message-----
> From: Jon Eaves [mailto:jon@eaves.org]
> Sent: Tuesday, June 17, 2003 3:04 PM
> To: Tomcat Users List
> Subject: Re: problems with web.xml and security
>
> Rosaria Silipo wrote:
>
>
>>Thanks Carl,
>>
>>Yes, I tried to see /secure as first thing and I can see it without
>>authentication.
>>I tried to close browser and restart it and I still could see it.
>>Maybe the problem is on the web.xml of /secure. Is it possible?
>>
>>-- Rosaria
>
>
> If I'm reading your sentence correctly, then yes.
>
> If /secure is a different web application than / (or ROOT)
> then the different contexts will process different web.xml files.
>
> The /* is relative to the root of the web application, not to
> the Tomcat installation.
>
> Cheers,
> -- jon
>
--
Jon Eaves <jo...@eaves.org>
http://www.eaves.org/jon
Co-Author of "Apache Tomcat Bible", Wiley 2003
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
Re: problems with web.xml and security
Posted by Jon Eaves <jo...@eaves.org>.
You need 2 web.xml files.
In / (or ROOT) for the context that maps to
http://my.domain.com/
and in the web application defined by the context /secure
which may be in the subdirectory webapps/secure, or it
may be webapps/secure.war, or it may be webapps/somethingelse
and have <Context> element in conf/server.xml point to the
appropriate web application.
This will map to http://my.domain.com/secure
Remember, we're talking about web applications, and *not*
directories.
So, in the web application that you have defined to be
the context /secure, put the security constraint of /*
That will apply to all file *in that context*. Different
contexts have different web.xml files. Directories are only
relevant _within_ a web application.
Cheers,
-- jon
Rosaria Silipo wrote:
>
> Sorry, my mistake!
> It worked because in the meantime I removed /secure.
> If I rebuild /secure, I can still access it without being authenticated.
>
> Summary: I have web.xml for / and web.xml for /secure.
> Without web.xml in /secure/web/WEB-INF I can not build /secure in the
> web application.
>
> How do I include /secure in the root web application?
>
> Thanks
>
> -- Rosaria
>
>
> -----Original Message-----
> From: Jon Eaves [mailto:jon@eaves.org]
> Sent: Tuesday, June 17, 2003 3:04 PM
> To: Tomcat Users List
> Subject: Re: problems with web.xml and security
>
> Rosaria Silipo wrote:
>
>
>>Thanks Carl,
>>
>>Yes, I tried to see /secure as first thing and I can see it without
>>authentication.
>>I tried to close browser and restart it and I still could see it.
>>Maybe the problem is on the web.xml of /secure. Is it possible?
>>
>>-- Rosaria
>
>
> If I'm reading your sentence correctly, then yes.
>
> If /secure is a different web application than / (or ROOT)
> then the different contexts will process different web.xml files.
>
> The /* is relative to the root of the web application, not to
> the Tomcat installation.
>
> Cheers,
> -- jon
>
--
Jon Eaves <jo...@eaves.org>
http://www.eaves.org/jon
Co-Author of "Apache Tomcat Bible", Wiley 2003
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
RE: problems with web.xml and security
Posted by Rosaria Silipo <ro...@yahoo.com>.
Sorry, my mistake!
It worked because in the meantime I removed /secure.
If I rebuild /secure, I can still access it without being authenticated.
Summary: I have web.xml for / and web.xml for /secure.
Without web.xml in /secure/web/WEB-INF I can not build /secure in the
web application.
How do I include /secure in the root web application?
Thanks
-- Rosaria
-----Original Message-----
From: Jon Eaves [mailto:jon@eaves.org]
Sent: Tuesday, June 17, 2003 3:04 PM
To: Tomcat Users List
Subject: Re: problems with web.xml and security
Rosaria Silipo wrote:
> Thanks Carl,
>
> Yes, I tried to see /secure as first thing and I can see it without
> authentication.
> I tried to close browser and restart it and I still could see it.
> Maybe the problem is on the web.xml of /secure. Is it possible?
>
> -- Rosaria
If I'm reading your sentence correctly, then yes.
If /secure is a different web application than / (or ROOT)
then the different contexts will process different web.xml files.
The /* is relative to the root of the web application, not to
the Tomcat installation.
Cheers,
-- jon
--
Jon Eaves <jo...@eaves.org>
http://www.eaves.org/jon
Co-Author of "Apache Tomcat Bible", Wiley 2003
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
Re: problems with web.xml and security
Posted by Jon Eaves <jo...@eaves.org>.
Rosaria Silipo wrote:
> Thanks Carl,
>
> Yes, I tried to see /secure as first thing and I can see it without
> authentication.
> I tried to close browser and restart it and I still could see it.
> Maybe the problem is on the web.xml of /secure. Is it possible?
>
> -- Rosaria
If I'm reading your sentence correctly, then yes.
If /secure is a different web application than / (or ROOT)
then the different contexts will process different web.xml files.
The /* is relative to the root of the web application, not to
the Tomcat installation.
Cheers,
-- jon
--
Jon Eaves <jo...@eaves.org>
http://www.eaves.org/jon
Co-Author of "Apache Tomcat Bible", Wiley 2003
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
RE: problems with web.xml and security
Posted by Rosaria Silipo <ro...@yahoo.com>.
Unbelieveable to say. It works!
Do you have an explanation for this?
Thanks
-- Rosaria
-----Original Message-----
From: Carl Walker [mailto:walkerce@georgetown.edu]
Sent: Tuesday, June 17, 2003 1:25 PM
To: Tomcat Users List
Subject: Re: problems with web.xml and security
What happens when you take out the '/*' url-pattern?
Rosaria Silipo wrote:
> Thanks Carl,
>
> Yes, I tried to see /secure as first thing and I can see it without
> authentication.
> I tried to close browser and restart it and I still could see it.
> Maybe the problem is on the web.xml of /secure. Is it possible?
>
> -- Rosaria
>
> -----Original Message-----
> From: Carl Walker [mailto:walkerce@georgetown.edu]
> Sent: Tuesday, June 17, 2003 12:56 PM
> To: Tomcat Users List
> Subject: Re: problems with web.xml and security
>
> I just tested this and wasn't able to see /secadmin without
logging-on.
> Are
> you closing the browser (possible including mail clients) between
> trials?
> If you go from hitting '/' with a successful logon to hitting
'/secure',
> you
> won't get a second challange.
>
> -Carl
>
> <web-resource-collection>
> <web-resource-name>SecadminJsps</web-resource-name>
> <url-pattern>/*</url-pattern>
> <url-pattern>/secadmin/*</url-pattern>
> </web-resource-collection>
> <auth-constraint>
> <role-name>secadmin</role-name>
> </auth-constraint>
> </security-constraint>
>
> Rosaria Silipo wrote:
>
> > The second.
> > I can see the files even without having authenticated.
> > The funny part is that it works correctly for /* and for
> sub-directories
> > that I have not yet created.
> >
> > -- Rosaria
> >
> > -----Original Message-----
> > From: Carl Walker [mailto:walkerce@georgetown.edu]
> > Sent: Tuesday, June 17, 2003 11:37 AM
> > To: Tomcat Users List
> > Subject: Re: problems with web.xml and security
> >
> > In which way doesn't it work? Are you prohibited from viewing the
> files
> > after logging in or can you see the files even if you haven't
> > authenticated?
> >
> > -Carl
> >
> > Rosaria Silipo wrote:
> >
> > > Hi,
> > >
> > > I am trying to set up Tomcat as a secure web engine.
> > > From the tutorial I understood that you should insert the
following
> > > lines in web.xml and the password protection should work.
> > >
> > > This works perfectly for files in the root directory (/*), it does
> not
> > > work for files in subdirectories, like /secure/*.
> > >
> > > Have you have ever seen this problem before?
> > >
> > > Thanks for any help
> > >
> > > -- Rosaria
> > >
> > > <!DOCTYPE web-app
> > > PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application
2.3//EN"
> > > "http://java.sun.com/dtd/web-app_2_3.dtd">
> > >
> > > <web-app>
> > > ...
> > >
> > > <!-- SECURITY CONSTRAINT -->
> > > <security-constraint>
> > > <web-resource-collection>
> > > <web-resource-name>Secure Pages</web-resource-name>
> > > <description>Security constraint on all files</description>
> > > <url-pattern>/*</url-pattern>
> > > <url-pattern>/secure/*</url-pattern>
> > > <http-method>POST</http-method>
> > > <http-method>GET</http-method>
> > > </web-resource-collection>
> > >
> > > <auth-constraint>
> > > <description>admin can login</description>
> > > <role-name>admin</role-name>
> > > </auth-constraint>
> > >
> > > <user-data-constraint>
> > > <description>SSL not required</description>
> > > <transport-guarantee>NONE</transport-guarantee>
> > > </user-data-constraint>
> > > </security-constraint>
> > >
> > > <session-config>
> > > <session-timeout>30</session-timeout>
> > > </session-config>
> > >
> > > <!-- LOGIN AUTHENTICATION -->
> > >
> > > <login-config>
> > > <auth-method>FORM</auth-method>
> > > <realm-name>default</realm-name>
> > > <form-login-config>
> > > <form-login-page>/LoginForm.html</form-login-page>
> > > <form-error-page>/LoginError.html</form-error-page>
> > > </form-login-config>
> > >
> > > </login-config>
> > >
> > > <!-- SECURITY ROLES -->
> > >
> > > <security-role>
> > > <description>The most secure role</description>
> > > <role-name>admin</role-name>
> > > </security-role>
> > >
> > > </web-app>
> > >
> > > -- Rosaria
> > >
> > >
> ---------------------------------------------------------------------
> > > To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> > > For additional commands, e-mail:
tomcat-user-help@jakarta.apache.org
> >
> >
---------------------------------------------------------------------
> > To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> > For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> >
> >
---------------------------------------------------------------------
> > To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> > For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
Re: problems with web.xml and security
Posted by Carl Walker <wa...@georgetown.edu>.
What happens when you take out the '/*' url-pattern?
Rosaria Silipo wrote:
> Thanks Carl,
>
> Yes, I tried to see /secure as first thing and I can see it without
> authentication.
> I tried to close browser and restart it and I still could see it.
> Maybe the problem is on the web.xml of /secure. Is it possible?
>
> -- Rosaria
>
> -----Original Message-----
> From: Carl Walker [mailto:walkerce@georgetown.edu]
> Sent: Tuesday, June 17, 2003 12:56 PM
> To: Tomcat Users List
> Subject: Re: problems with web.xml and security
>
> I just tested this and wasn't able to see /secadmin without logging-on.
> Are
> you closing the browser (possible including mail clients) between
> trials?
> If you go from hitting '/' with a successful logon to hitting '/secure',
> you
> won't get a second challange.
>
> -Carl
>
> <web-resource-collection>
> <web-resource-name>SecadminJsps</web-resource-name>
> <url-pattern>/*</url-pattern>
> <url-pattern>/secadmin/*</url-pattern>
> </web-resource-collection>
> <auth-constraint>
> <role-name>secadmin</role-name>
> </auth-constraint>
> </security-constraint>
>
> Rosaria Silipo wrote:
>
> > The second.
> > I can see the files even without having authenticated.
> > The funny part is that it works correctly for /* and for
> sub-directories
> > that I have not yet created.
> >
> > -- Rosaria
> >
> > -----Original Message-----
> > From: Carl Walker [mailto:walkerce@georgetown.edu]
> > Sent: Tuesday, June 17, 2003 11:37 AM
> > To: Tomcat Users List
> > Subject: Re: problems with web.xml and security
> >
> > In which way doesn't it work? Are you prohibited from viewing the
> files
> > after logging in or can you see the files even if you haven't
> > authenticated?
> >
> > -Carl
> >
> > Rosaria Silipo wrote:
> >
> > > Hi,
> > >
> > > I am trying to set up Tomcat as a secure web engine.
> > > From the tutorial I understood that you should insert the following
> > > lines in web.xml and the password protection should work.
> > >
> > > This works perfectly for files in the root directory (/*), it does
> not
> > > work for files in subdirectories, like /secure/*.
> > >
> > > Have you have ever seen this problem before?
> > >
> > > Thanks for any help
> > >
> > > -- Rosaria
> > >
> > > <!DOCTYPE web-app
> > > PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN"
> > > "http://java.sun.com/dtd/web-app_2_3.dtd">
> > >
> > > <web-app>
> > > ...
> > >
> > > <!-- SECURITY CONSTRAINT -->
> > > <security-constraint>
> > > <web-resource-collection>
> > > <web-resource-name>Secure Pages</web-resource-name>
> > > <description>Security constraint on all files</description>
> > > <url-pattern>/*</url-pattern>
> > > <url-pattern>/secure/*</url-pattern>
> > > <http-method>POST</http-method>
> > > <http-method>GET</http-method>
> > > </web-resource-collection>
> > >
> > > <auth-constraint>
> > > <description>admin can login</description>
> > > <role-name>admin</role-name>
> > > </auth-constraint>
> > >
> > > <user-data-constraint>
> > > <description>SSL not required</description>
> > > <transport-guarantee>NONE</transport-guarantee>
> > > </user-data-constraint>
> > > </security-constraint>
> > >
> > > <session-config>
> > > <session-timeout>30</session-timeout>
> > > </session-config>
> > >
> > > <!-- LOGIN AUTHENTICATION -->
> > >
> > > <login-config>
> > > <auth-method>FORM</auth-method>
> > > <realm-name>default</realm-name>
> > > <form-login-config>
> > > <form-login-page>/LoginForm.html</form-login-page>
> > > <form-error-page>/LoginError.html</form-error-page>
> > > </form-login-config>
> > >
> > > </login-config>
> > >
> > > <!-- SECURITY ROLES -->
> > >
> > > <security-role>
> > > <description>The most secure role</description>
> > > <role-name>admin</role-name>
> > > </security-role>
> > >
> > > </web-app>
> > >
> > > -- Rosaria
> > >
> > >
> ---------------------------------------------------------------------
> > > To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> > > For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> > For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> > For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
RE: problems with web.xml and security
Posted by Rosaria Silipo <ro...@yahoo.com>.
Thanks Carl,
Yes, I tried to see /secure as first thing and I can see it without
authentication.
I tried to close browser and restart it and I still could see it.
Maybe the problem is on the web.xml of /secure. Is it possible?
-- Rosaria
-----Original Message-----
From: Carl Walker [mailto:walkerce@georgetown.edu]
Sent: Tuesday, June 17, 2003 12:56 PM
To: Tomcat Users List
Subject: Re: problems with web.xml and security
I just tested this and wasn't able to see /secadmin without logging-on.
Are
you closing the browser (possible including mail clients) between
trials?
If you go from hitting '/' with a successful logon to hitting '/secure',
you
won't get a second challange.
-Carl
<web-resource-collection>
<web-resource-name>SecadminJsps</web-resource-name>
<url-pattern>/*</url-pattern>
<url-pattern>/secadmin/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>secadmin</role-name>
</auth-constraint>
</security-constraint>
Rosaria Silipo wrote:
> The second.
> I can see the files even without having authenticated.
> The funny part is that it works correctly for /* and for
sub-directories
> that I have not yet created.
>
> -- Rosaria
>
> -----Original Message-----
> From: Carl Walker [mailto:walkerce@georgetown.edu]
> Sent: Tuesday, June 17, 2003 11:37 AM
> To: Tomcat Users List
> Subject: Re: problems with web.xml and security
>
> In which way doesn't it work? Are you prohibited from viewing the
files
> after logging in or can you see the files even if you haven't
> authenticated?
>
> -Carl
>
> Rosaria Silipo wrote:
>
> > Hi,
> >
> > I am trying to set up Tomcat as a secure web engine.
> > From the tutorial I understood that you should insert the following
> > lines in web.xml and the password protection should work.
> >
> > This works perfectly for files in the root directory (/*), it does
not
> > work for files in subdirectories, like /secure/*.
> >
> > Have you have ever seen this problem before?
> >
> > Thanks for any help
> >
> > -- Rosaria
> >
> > <!DOCTYPE web-app
> > PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN"
> > "http://java.sun.com/dtd/web-app_2_3.dtd">
> >
> > <web-app>
> > ...
> >
> > <!-- SECURITY CONSTRAINT -->
> > <security-constraint>
> > <web-resource-collection>
> > <web-resource-name>Secure Pages</web-resource-name>
> > <description>Security constraint on all files</description>
> > <url-pattern>/*</url-pattern>
> > <url-pattern>/secure/*</url-pattern>
> > <http-method>POST</http-method>
> > <http-method>GET</http-method>
> > </web-resource-collection>
> >
> > <auth-constraint>
> > <description>admin can login</description>
> > <role-name>admin</role-name>
> > </auth-constraint>
> >
> > <user-data-constraint>
> > <description>SSL not required</description>
> > <transport-guarantee>NONE</transport-guarantee>
> > </user-data-constraint>
> > </security-constraint>
> >
> > <session-config>
> > <session-timeout>30</session-timeout>
> > </session-config>
> >
> > <!-- LOGIN AUTHENTICATION -->
> >
> > <login-config>
> > <auth-method>FORM</auth-method>
> > <realm-name>default</realm-name>
> > <form-login-config>
> > <form-login-page>/LoginForm.html</form-login-page>
> > <form-error-page>/LoginError.html</form-error-page>
> > </form-login-config>
> >
> > </login-config>
> >
> > <!-- SECURITY ROLES -->
> >
> > <security-role>
> > <description>The most secure role</description>
> > <role-name>admin</role-name>
> > </security-role>
> >
> > </web-app>
> >
> > -- Rosaria
> >
> >
---------------------------------------------------------------------
> > To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> > For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
Re: problems with web.xml and security
Posted by Carl Walker <wa...@georgetown.edu>.
I just tested this and wasn't able to see /secadmin without logging-on. Are
you closing the browser (possible including mail clients) between trials?
If you go from hitting '/' with a successful logon to hitting '/secure', you
won't get a second challange.
-Carl
<web-resource-collection>
<web-resource-name>SecadminJsps</web-resource-name>
<url-pattern>/*</url-pattern>
<url-pattern>/secadmin/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>secadmin</role-name>
</auth-constraint>
</security-constraint>
Rosaria Silipo wrote:
> The second.
> I can see the files even without having authenticated.
> The funny part is that it works correctly for /* and for sub-directories
> that I have not yet created.
>
> -- Rosaria
>
> -----Original Message-----
> From: Carl Walker [mailto:walkerce@georgetown.edu]
> Sent: Tuesday, June 17, 2003 11:37 AM
> To: Tomcat Users List
> Subject: Re: problems with web.xml and security
>
> In which way doesn't it work? Are you prohibited from viewing the files
> after logging in or can you see the files even if you haven't
> authenticated?
>
> -Carl
>
> Rosaria Silipo wrote:
>
> > Hi,
> >
> > I am trying to set up Tomcat as a secure web engine.
> > From the tutorial I understood that you should insert the following
> > lines in web.xml and the password protection should work.
> >
> > This works perfectly for files in the root directory (/*), it does not
> > work for files in subdirectories, like /secure/*.
> >
> > Have you have ever seen this problem before?
> >
> > Thanks for any help
> >
> > -- Rosaria
> >
> > <!DOCTYPE web-app
> > PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN"
> > "http://java.sun.com/dtd/web-app_2_3.dtd">
> >
> > <web-app>
> > ...
> >
> > <!-- SECURITY CONSTRAINT -->
> > <security-constraint>
> > <web-resource-collection>
> > <web-resource-name>Secure Pages</web-resource-name>
> > <description>Security constraint on all files</description>
> > <url-pattern>/*</url-pattern>
> > <url-pattern>/secure/*</url-pattern>
> > <http-method>POST</http-method>
> > <http-method>GET</http-method>
> > </web-resource-collection>
> >
> > <auth-constraint>
> > <description>admin can login</description>
> > <role-name>admin</role-name>
> > </auth-constraint>
> >
> > <user-data-constraint>
> > <description>SSL not required</description>
> > <transport-guarantee>NONE</transport-guarantee>
> > </user-data-constraint>
> > </security-constraint>
> >
> > <session-config>
> > <session-timeout>30</session-timeout>
> > </session-config>
> >
> > <!-- LOGIN AUTHENTICATION -->
> >
> > <login-config>
> > <auth-method>FORM</auth-method>
> > <realm-name>default</realm-name>
> > <form-login-config>
> > <form-login-page>/LoginForm.html</form-login-page>
> > <form-error-page>/LoginError.html</form-error-page>
> > </form-login-config>
> >
> > </login-config>
> >
> > <!-- SECURITY ROLES -->
> >
> > <security-role>
> > <description>The most secure role</description>
> > <role-name>admin</role-name>
> > </security-role>
> >
> > </web-app>
> >
> > -- Rosaria
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> > For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
RE: problems with web.xml and security
Posted by Rosaria Silipo <ro...@yahoo.com>.
The second.
I can see the files even without having authenticated.
The funny part is that it works correctly for /* and for sub-directories
that I have not yet created.
-- Rosaria
-----Original Message-----
From: Carl Walker [mailto:walkerce@georgetown.edu]
Sent: Tuesday, June 17, 2003 11:37 AM
To: Tomcat Users List
Subject: Re: problems with web.xml and security
In which way doesn't it work? Are you prohibited from viewing the files
after logging in or can you see the files even if you haven't
authenticated?
-Carl
Rosaria Silipo wrote:
> Hi,
>
> I am trying to set up Tomcat as a secure web engine.
> From the tutorial I understood that you should insert the following
> lines in web.xml and the password protection should work.
>
> This works perfectly for files in the root directory (/*), it does not
> work for files in subdirectories, like /secure/*.
>
> Have you have ever seen this problem before?
>
> Thanks for any help
>
> -- Rosaria
>
> <!DOCTYPE web-app
> PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN"
> "http://java.sun.com/dtd/web-app_2_3.dtd">
>
> <web-app>
> ...
>
> <!-- SECURITY CONSTRAINT -->
> <security-constraint>
> <web-resource-collection>
> <web-resource-name>Secure Pages</web-resource-name>
> <description>Security constraint on all files</description>
> <url-pattern>/*</url-pattern>
> <url-pattern>/secure/*</url-pattern>
> <http-method>POST</http-method>
> <http-method>GET</http-method>
> </web-resource-collection>
>
> <auth-constraint>
> <description>admin can login</description>
> <role-name>admin</role-name>
> </auth-constraint>
>
> <user-data-constraint>
> <description>SSL not required</description>
> <transport-guarantee>NONE</transport-guarantee>
> </user-data-constraint>
> </security-constraint>
>
> <session-config>
> <session-timeout>30</session-timeout>
> </session-config>
>
> <!-- LOGIN AUTHENTICATION -->
>
> <login-config>
> <auth-method>FORM</auth-method>
> <realm-name>default</realm-name>
> <form-login-config>
> <form-login-page>/LoginForm.html</form-login-page>
> <form-error-page>/LoginError.html</form-error-page>
> </form-login-config>
>
> </login-config>
>
> <!-- SECURITY ROLES -->
>
> <security-role>
> <description>The most secure role</description>
> <role-name>admin</role-name>
> </security-role>
>
> </web-app>
>
> -- Rosaria
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
Re: problems with web.xml and security
Posted by Carl Walker <wa...@georgetown.edu>.
In which way doesn't it work? Are you prohibited from viewing the files
after logging in or can you see the files even if you haven't
authenticated?
-Carl
Rosaria Silipo wrote:
> Hi,
>
> I am trying to set up Tomcat as a secure web engine.
> From the tutorial I understood that you should insert the following
> lines in web.xml and the password protection should work.
>
> This works perfectly for files in the root directory (/*), it does not
> work for files in subdirectories, like /secure/*.
>
> Have you have ever seen this problem before?
>
> Thanks for any help
>
> -- Rosaria
>
> <!DOCTYPE web-app
> PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN"
> "http://java.sun.com/dtd/web-app_2_3.dtd">
>
> <web-app>
> ...
>
> <!-- SECURITY CONSTRAINT -->
> <security-constraint>
> <web-resource-collection>
> <web-resource-name>Secure Pages</web-resource-name>
> <description>Security constraint on all files</description>
> <url-pattern>/*</url-pattern>
> <url-pattern>/secure/*</url-pattern>
> <http-method>POST</http-method>
> <http-method>GET</http-method>
> </web-resource-collection>
>
> <auth-constraint>
> <description>admin can login</description>
> <role-name>admin</role-name>
> </auth-constraint>
>
> <user-data-constraint>
> <description>SSL not required</description>
> <transport-guarantee>NONE</transport-guarantee>
> </user-data-constraint>
> </security-constraint>
>
> <session-config>
> <session-timeout>30</session-timeout>
> </session-config>
>
> <!-- LOGIN AUTHENTICATION -->
>
> <login-config>
> <auth-method>FORM</auth-method>
> <realm-name>default</realm-name>
> <form-login-config>
> <form-login-page>/LoginForm.html</form-login-page>
> <form-error-page>/LoginError.html</form-error-page>
> </form-login-config>
>
> </login-config>
>
> <!-- SECURITY ROLES -->
>
> <security-role>
> <description>The most secure role</description>
> <role-name>admin</role-name>
> </security-role>
>
> </web-app>
>
> -- Rosaria
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org