You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by "Hugi Michael, Informaticon AG" <mi...@informaticon.ch> on 2012/02/13 14:30:43 UTC
problem with auth-constraint in xml
Hello
I have a problem with defining <auth-constraint> in the web.xml of my java project. I defined sereval user roles, which have access to sereval <url-pattern>. Here is a part of the xml, in which I define patterns, that can be acessed by every role.
<security-constraint>
<web-resource-collection>
<web-resource-name>Webservice for everyone</web-resource-name>
<url-pattern>/push</url-pattern>
<url-pattern>/rest/version/*</url-pattern>
<url-pattern>/rest/lizenz/*</url-pattern>
<url-pattern>/rest/device</url-pattern>
<url-pattern>/rest/device/*</url-pattern>
<url-pattern>/rest/eventlog/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>role 1</role-name>
<role-name>role 2</role-name>
<role-name>role 3</role-name>
</auth-constraint>
</security-constraint>
Until here, all works fine. Now I want to be sure, not to make any mistake, when I add a new url, so I need to refuse access by default to any other url. This is the code, how I make it.
<security-constraint>
<web-resource-collection>
<web-resource-name>Everything forbidden</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint />
</security-constraint>
Now I got a strange problem. I can access any url with /rest/device/* without any problem. When I try to access /rest/device I get the error 403 forbidden. On /rest/device/* I'm using GET and on /rest/device I'm using POST. Did someone had any similar problem? I'm using Tomcat 7.0
Thanks in advance:
Michael
Re: AW: problem with auth-constraint in xml
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Michael,
On 2/14/12 3:12 AM, Hugi Michael, Informaticon AG wrote:
> Thank you very much for your response. I thought I did it? The
> pattern /rest/device is in the xml that I sent.?
Oops, I missed this:
>> <url-pattern>/rest/device</url-pattern>
>> <url-pattern>/rest/device/*</url-pattern>
(It got lost in the list of url-patterns that you had).
Try this. What happens if you do these things:
$ curl -i http://host/context/rest/device/something-real
$ curl -i -d 'foo=bar' http://host/context/rest/device/something-real
$ curl -i http://host/context/rest/device
$ curl -i -d 'foo=bar' http://host/context/rest/device
I asked you to use curl (or your favorite tool) because sometimes 403
errors can some not from the original document, but maybe if you were
redirected or there was some other document requested that caused a
failure. curl only performs a single HTTP request and shows the headers.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk86kxgACgkQ9CaO5/Lv0PBCpwCcCxYUlvc/y2RPP4h7CY8Rly67
fpAAoKcHH4uFUketVpcQxZBh8x940dct
=5sPh
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
AW: problem with auth-constraint in xml
Posted by "Hugi Michael, Informaticon AG" <mi...@informaticon.ch>.
Hello Chris
Thank you very much for your response. I thought I did it? The pattern /rest/device is in the xml that I sent.?
Michael
-----Ursprüngliche Nachricht-----
Von: Christopher Schultz [mailto:chris@christopherschultz.net]
Gesendet: Montag, 13. Februar 2012 19:01
An: Tomcat Users List
Betreff: Re: problem with auth-constraint in xml
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Michael,
On 2/13/12 8:30 AM, Hugi Michael, Informaticon AG wrote:
> I have a problem with defining <auth-constraint> in the web.xml of my
> java project. I defined sereval user roles, which have access to
> sereval <url-pattern>. Here is a part of the xml, in which I define
> patterns, that can be acessed by every role.
>
> <security-constraint> <web-resource-collection>
> <web-resource-name>Webservice for everyone</web-resource-name>
> <url-pattern>/push</url-pattern>
> <url-pattern>/rest/version/*</url-pattern>
> <url-pattern>/rest/lizenz/*</url-pattern>
> <url-pattern>/rest/device</url-pattern>
> <url-pattern>/rest/device/*</url-pattern>
> <url-pattern>/rest/eventlog/*</url-pattern>
> </web-resource-collection> <auth-constraint> <role-name>role
> 1</role-name> <role-name>role 2</role-name> <role-name>role
> 3</role-name> </auth-constraint> </security-constraint>
>
> Until here, all works fine. Now I want to be sure, not to make any
> mistake, when I add a new url, so I need to refuse access by default
> to any other url. This is the code, how I make it.
>
> <security-constraint> <web-resource-collection>
> <web-resource-name>Everything forbidden</web-resource-name>
> <url-pattern>/*</url-pattern> </web-resource-collection>
> <auth-constraint /> </security-constraint>
>
>
> Now I got a strange problem. I can access any url with
> /rest/device/* without any problem. When I try to access /rest/device
> I get the error 403 forbidden. On /rest/device/* I'm using GET and on
> /rest/device I'm using POST. Did someone had any similar problem? I'm
> using Tomcat 7.0
Note that the URL pattern "/rest/device/*" doesn't match
"/rest/device": you are missing a required trailing slash. Try adding "/rest/device" to your list of <url-pattern>s defined in the <web-resource-collection> with the name "Webservice for everyone" and see if that improves things.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk85T9wACgkQ9CaO5/Lv0PC+2wCcCzKnS2qa3fuFbWwbvJjAozvs
MCAAni0cs/lcdP5KbSyThi7ri/1SeW8Q
=7GSw
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: problem with auth-constraint in xml
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Michael,
On 2/13/12 8:30 AM, Hugi Michael, Informaticon AG wrote:
> I have a problem with defining <auth-constraint> in the web.xml of
> my java project. I defined sereval user roles, which have access
> to sereval <url-pattern>. Here is a part of the xml, in which I
> define patterns, that can be acessed by every role.
>
> <security-constraint> <web-resource-collection>
> <web-resource-name>Webservice for everyone</web-resource-name>
> <url-pattern>/push</url-pattern>
> <url-pattern>/rest/version/*</url-pattern>
> <url-pattern>/rest/lizenz/*</url-pattern>
> <url-pattern>/rest/device</url-pattern>
> <url-pattern>/rest/device/*</url-pattern>
> <url-pattern>/rest/eventlog/*</url-pattern>
> </web-resource-collection> <auth-constraint> <role-name>role
> 1</role-name> <role-name>role 2</role-name> <role-name>role
> 3</role-name> </auth-constraint> </security-constraint>
>
> Until here, all works fine. Now I want to be sure, not to make any
> mistake, when I add a new url, so I need to refuse access by
> default to any other url. This is the code, how I make it.
>
> <security-constraint> <web-resource-collection>
> <web-resource-name>Everything forbidden</web-resource-name>
> <url-pattern>/*</url-pattern> </web-resource-collection>
> <auth-constraint /> </security-constraint>
>
>
> Now I got a strange problem. I can access any url with
> /rest/device/* without any problem. When I try to access
> /rest/device I get the error 403 forbidden. On /rest/device/* I'm
> using GET and on /rest/device I'm using POST. Did someone had any
> similar problem? I'm using Tomcat 7.0
Note that the URL pattern "/rest/device/*" doesn't match
"/rest/device": you are missing a required trailing slash. Try adding
"/rest/device" to your list of <url-pattern>s defined in the
<web-resource-collection> with the name "Webservice for everyone" and
see if that improves things.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk85T9wACgkQ9CaO5/Lv0PC+2wCcCzKnS2qa3fuFbWwbvJjAozvs
MCAAni0cs/lcdP5KbSyThi7ri/1SeW8Q
=7GSw
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org