You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Yogesh Shankarappa <yo...@gmail.com> on 2011/10/14 23:22:47 UTC
Configuration for both protected and public URLs in a web application
Hello All,
I am trying to configure web.xml to have both protected and
public URLs but still the app
authenticates the public URLs. Protected URLs works fine. I would greatly
appreciate if you can
help to configure the whole application has protected except for few URLs
which should be public
and without authentication. I could have added each URL for protected but
there are plenty hence
using /* for protected.
*protected URLs*
<security-constraint>
<web-resource-collection>
<web-resource-name>Protected</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>AUTHENTICATED_USERS</role-name>
</auth-constraint>
</security-constraint>
*public URLs*
<security-constraint>
<web-resource-collection>
<web-resource-name>Unprotected</web-resource-name>
<url-pattern>/public/welcome.html</url-pattern>
</web-resource-collection>
</security-constraint>
Thanks in advance.
Thanks
Yogesh
Re: Configuration for both protected and public URLs in a web application
Posted by Yogesh Shankarappa <yo...@gmail.com>.
On Sat, Oct 15, 2011 at 11:49 AM, Brian Burch <br...@pingtoo.com> wrote:
> On 15/10/11 14:47, Yogesh Shankarappa wrote:
>
>> Thanks for your response. I tried your suggestion, unfortunately it did
>> not
>> work.
>> There must be a solution for this as most web applications have both
>> public
>> and
>> protected URLs.
>>
>>
>>>> *public URLs*
>>>> <security-constraint>
>>>> <web-resource-collection>
>>>> <web-resource-name>**Unprotected</web-resource-**name>
>>>> <url-pattern>/public/welcome.**html</url-pattern>
>>>> </web-resource-collection>
>>>> </security-constraint>
>>>>
>>>>
>>>> Thanks in advance.
>>>>
>>>>
>>>> Thanks
>>>> Yogesh
>>>>
>>>>
>>>
>>> Try to do like this for public urls Put an empty auth-constraint Tag
>>>
>>> *public URLs*
>>>> <security-constraint>
>>>> <web-resource-collection>
>>>> <web-resource-name>**Unprotected</web-resource-**name>
>>>> <url-pattern>/public/welcome.**html</url-pattern>
>>>> </web-resource-collection>
>>>> <auth-constraint />
>>>> </security-constraint>
>>>>
>>>>
>>>>
>>>
>>> Reference:- http://java.dzone.com/**articles/understanding-web-**
>>> security <http://java.dzone.com/articles/understanding-web-security>
>>>
>>> ------------------------------**------------------------------**
>>> ---------
>>>
>>
>>
> Here is an extract from a web.xml that does what you want... it is the
> presence of a security constraint WITHOUT an auth constraint AT ALL that
> denotes public, unauthenticated access.
>
> (Note... don't forget to permit access to the webapp base url if you have
> turned off directory browsing and you want the default servlet to redirect
> to your welcome page).
>
> <security-constraint>
> <display-name>Free Access</display-name>
> <web-resource-collection>
> <web-resource-name>unauthed users can GET only</web-resource-name>
> <!-- Define the context-relative URLs to be unprotected -->
> <!-- must unprotect base url to permit redirect to welcome! -->
> <url-pattern>/</url-pattern>
> <url-pattern>/myAccessControl.**html</url-pattern>
> <url-pattern>/myError.jsp</**url-pattern>
> <http-method>GET</http-method>
> </web-resource-collection>
> <!-- absence of <auth-constraint> means anyone at all can access this
> area -->
> <user-data-constraint>
> <transport-guarantee>**CONFIDENTIAL</transport-**guarantee>
> </user-data-constraint>
> </security-constraint>
>
> <security-constraint>
> <display-name>Restricted Access</display-name>
> <web-resource-collection>
> <web-resource-name>Protected web application</web-resource-**name>
> <!-- Define the context-relative URL(s) to be protected -->
> <url-pattern>/*</url-pattern>
> <!-- no list of http methods, so ALL methods are protected -->
> </web-resource-collection>
> <auth-constraint>
> <!-- Only someone authenticated with one of these roles can access
> this area -->
> <role-name>manager</role-name>
> <role-name>family</role-name>
> </auth-constraint>
> </security-constraint>
>
> Hope this sorts out your problem - when I had something similar it drove me
> nuts reading the servlet specs and the tomcat docs to work out exactly how
> to do it.
>
> Brian
>
>
Thanks for your help, Brian. It worked !!!
Yogesh
Re: Configuration for both protected and public URLs in a web application
Posted by Brian Burch <br...@pingtoo.com>.
On 15/10/11 14:47, Yogesh Shankarappa wrote:
> Thanks for your response. I tried your suggestion, unfortunately it did not
> work.
> There must be a solution for this as most web applications have both public
> and
> protected URLs.
>
>>>
>>> *public URLs*
>>> <security-constraint>
>>> <web-resource-collection>
>>> <web-resource-name>Unprotected</web-resource-name>
>>> <url-pattern>/public/welcome.html</url-pattern>
>>> </web-resource-collection>
>>> </security-constraint>
>>>
>>>
>>> Thanks in advance.
>>>
>>>
>>> Thanks
>>> Yogesh
>>>
>>
>>
>> Try to do like this for public urls Put an empty auth-constraint Tag
>>
>>> *public URLs*
>>> <security-constraint>
>>> <web-resource-collection>
>>> <web-resource-name>Unprotected</web-resource-name>
>>> <url-pattern>/public/welcome.html</url-pattern>
>>> </web-resource-collection>
>>> <auth-constraint />
>>> </security-constraint>
>>>
>>>
>>
>>
>> Reference:- http://java.dzone.com/articles/understanding-web-security
>>
>> ---------------------------------------------------------------------
>
Here is an extract from a web.xml that does what you want... it is the
presence of a security constraint WITHOUT an auth constraint AT ALL that
denotes public, unauthenticated access.
(Note... don't forget to permit access to the webapp base url if you
have turned off directory browsing and you want the default servlet to
redirect to your welcome page).
<security-constraint>
<display-name>Free Access</display-name>
<web-resource-collection>
<web-resource-name>unauthed users can GET only</web-resource-name>
<!-- Define the context-relative URLs to be unprotected -->
<!-- must unprotect base url to permit redirect to welcome! -->
<url-pattern>/</url-pattern>
<url-pattern>/myAccessControl.html</url-pattern>
<url-pattern>/myError.jsp</url-pattern>
<http-method>GET</http-method>
</web-resource-collection>
<!-- absence of <auth-constraint> means anyone at all can access
this area -->
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<security-constraint>
<display-name>Restricted Access</display-name>
<web-resource-collection>
<web-resource-name>Protected web application</web-resource-name>
<!-- Define the context-relative URL(s) to be protected -->
<url-pattern>/*</url-pattern>
<!-- no list of http methods, so ALL methods are protected -->
</web-resource-collection>
<auth-constraint>
<!-- Only someone authenticated with one of these roles can
access this area -->
<role-name>manager</role-name>
<role-name>family</role-name>
</auth-constraint>
</security-constraint>
Hope this sorts out your problem - when I had something similar it drove
me nuts reading the servlet specs and the tomcat docs to work out
exactly how to do it.
Brian
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Configuration for both protected and public URLs in a web application
Posted by Yogesh Shankarappa <yo...@gmail.com>.
Thanks for your response. I tried your suggestion, unfortunately it did not
work.
There must be a solution for this as most web applications have both public
and
protected URLs.
On Fri, Oct 14, 2011 at 5:50 PM, sailendra karthik <
karthiksailendra@gmail.com> wrote:
> On 10/15/11, Yogesh Shankarappa <yo...@gmail.com> wrote:
> > Hello All,
> >
> >
> > I am trying to configure web.xml to have both protected and
> > public URLs but still the app
> > authenticates the public URLs. Protected URLs works fine. I would greatly
> > appreciate if you can
> > help to configure the whole application has protected except for few URLs
> > which should be public
> > and without authentication. I could have added each URL for protected but
> > there are plenty hence
> > using /* for protected.
> >
> > *protected URLs*
> > <security-constraint>
> > <web-resource-collection>
> > <web-resource-name>Protected</web-resource-name>
> > <url-pattern>/*</url-pattern>
> > </web-resource-collection>
> > <auth-constraint>
> > <role-name>AUTHENTICATED_USERS</role-name>
> > </auth-constraint>
> > </security-constraint>
> >
> > *public URLs*
> > <security-constraint>
> > <web-resource-collection>
> > <web-resource-name>Unprotected</web-resource-name>
> > <url-pattern>/public/welcome.html</url-pattern>
> > </web-resource-collection>
> > </security-constraint>
> >
> >
> > Thanks in advance.
> >
> >
> > Thanks
> > Yogesh
> >
>
>
> Try to do like this for public urls Put an empty auth-constraint Tag
>
> > *public URLs*
> > <security-constraint>
> > <web-resource-collection>
> > <web-resource-name>Unprotected</web-resource-name>
> > <url-pattern>/public/welcome.html</url-pattern>
> > </web-resource-collection>
> > <auth-constraint />
> > </security-constraint>
> >
> >
>
>
> Reference:- http://java.dzone.com/articles/understanding-web-security
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
Re: Configuration for both protected and public URLs in a web application
Posted by sailendra karthik <ka...@gmail.com>.
On 10/15/11, Yogesh Shankarappa <yo...@gmail.com> wrote:
> Hello All,
>
>
> I am trying to configure web.xml to have both protected and
> public URLs but still the app
> authenticates the public URLs. Protected URLs works fine. I would greatly
> appreciate if you can
> help to configure the whole application has protected except for few URLs
> which should be public
> and without authentication. I could have added each URL for protected but
> there are plenty hence
> using /* for protected.
>
> *protected URLs*
> <security-constraint>
> <web-resource-collection>
> <web-resource-name>Protected</web-resource-name>
> <url-pattern>/*</url-pattern>
> </web-resource-collection>
> <auth-constraint>
> <role-name>AUTHENTICATED_USERS</role-name>
> </auth-constraint>
> </security-constraint>
>
> *public URLs*
> <security-constraint>
> <web-resource-collection>
> <web-resource-name>Unprotected</web-resource-name>
> <url-pattern>/public/welcome.html</url-pattern>
> </web-resource-collection>
> </security-constraint>
>
>
> Thanks in advance.
>
>
> Thanks
> Yogesh
>
Try to do like this for public urls Put an empty auth-constraint Tag
> *public URLs*
> <security-constraint>
> <web-resource-collection>
> <web-resource-name>Unprotected</web-resource-name>
> <url-pattern>/public/welcome.html</url-pattern>
> </web-resource-collection>
> <auth-constraint />
> </security-constraint>
>
>
Reference:- http://java.dzone.com/articles/understanding-web-security
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org