You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@tomcat.apache.org by Jim Coble <Ji...@duke.edu> on 2003/01/08 16:34:06 UTC

Question about Tomcat 4.1.12 WebDAV application

Version: Tomcat 4.1.12 on Solaris 8

I'm trying to configure the WebDAV application included in the Tomcat
4.1.12 distribution so that it requires a login to add or remove files but
not to view them.

If I use the web.xml security-constraint contained in the distribution --

  <security-constraint>
    <web-resource-collection>
      <web-resource-name>The Entire Web Application</web-resource-name>
      <url-pattern>/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
      <role-name>tomcat</role-name>
    </auth-constraint>
  </security-constraint>

-- then all attempts to access the content, including a simple browser
request for <http://localhost:8080/webdav/> require a login.

I thought I could password protect only adding and removing files by adding
<http-method> for PUT and DELETE as shown below --

  <security-constraint>
    <web-resource-collection>
      <web-resource-name>The Entire Web Application</web-resource-name>
      <url-pattern>/*</url-pattern>
      <http-method>DELETE</http-method>
      <http-method>PUT</http-method>
    </web-resource-collection>
    <auth-constraint>
      <role-name>tomcat</role-name>
    </auth-constraint>
  </security-constraint>

  -- but, if I do that, I seem to be able to add and remove files using my
WebDAV client (Web Folders on Windows XP) without authenticating.

I can't help but think that I'm missing something obvious.  Can anyone
help?

Thanks in advance.
--Jim

==================================
Jim Coble
Senior Technology Specialist
Center for Instructional Technology
Email: jim.coble@duke.edu
Voice: 919-660-5974  Fax: 919-660-5923
Box 90198, Duke University
Durham, NC 27708-0198
==================================




--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>

Re: Question about Tomcat 4.1.12 WebDAV application

Posted by Andreas Probst <an...@gmx.net>.

Hi Jim,

it might be that Windows cached your credentials. You could try 
Slide client (jakarta sub project Slide), which requires to type 
in the credentials everytime you start it.
You won't need to start the Slide server or the included Tomcat, 
just the client at pathTo\jakarta-slide-
1.0.16\client\bin\run.bat. (It might be necessary to start 
run.bat by typing bin\run in the client directory.)

Andreas


On 8 Jan 2003 at 10:34, Jim Coble wrote:

> Version: Tomcat 4.1.12 on Solaris 8
> 
> I'm trying to configure the WebDAV application included in the
> Tomcat 4.1.12 distribution so that it requires a login to add or
> remove files but not to view them.
> 
> If I use the web.xml security-constraint contained in the
> distribution --
> 
>   <security-constraint>
>     <web-resource-collection>
>       <web-resource-name>The Entire Web
>       Application</web-resource-name>
>       <url-pattern>/*</url-pattern>
>     </web-resource-collection>
>     <auth-constraint>
>       <role-name>tomcat</role-name>
>     </auth-constraint>
>   </security-constraint>
> 
> -- then all attempts to access the content, including a simple
> browser request for <http://localhost:8080/webdav/> require a
> login.
> 
> I thought I could password protect only adding and removing files
> by adding <http-method> for PUT and DELETE as shown below --
> 
>   <security-constraint>
>     <web-resource-collection>
>       <web-resource-name>The Entire Web
>       Application</web-resource-name>
>       <url-pattern>/*</url-pattern>
>       <http-method>DELETE</http-method>
>       <http-method>PUT</http-method>
>     </web-resource-collection>
>     <auth-constraint>
>       <role-name>tomcat</role-name>
>     </auth-constraint>
>   </security-constraint>
> 
>   -- but, if I do that, I seem to be able to add and remove files
>   using my
> WebDAV client (Web Folders on Windows XP) without authenticating.
> 
> I can't help but think that I'm missing something obvious.  Can
> anyone help?
> 
> Thanks in advance.
> --Jim
> 
> ==================================
> Jim Coble
> Senior Technology Specialist
> Center for Instructional Technology
> Email: jim.coble@duke.edu
> Voice: 919-660-5974  Fax: 919-660-5923
> Box 90198, Duke University
> Durham, NC 27708-0198
> ==================================
> 
> 
> 
> 
> --
> To unsubscribe, e-mail:  
> <ma...@jakarta.apache.org> For
> additional commands, e-mail:
> <ma...@jakarta.apache.org>
> 



--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>