You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Frank Lawlor <fr...@athensgroup.com> on 2001/10/09 17:47:34 UTC
Structuring webapp for security
I am interested in people's opinion on how to address the
following question in webapp structure regarding security.
If I use basic authentication for MyApp I can say in web.xml:
<security-constraint>
...
<!-- Define the context-relative URL(s) to be protected -->
<url-pattern>/*</url-pattern>
</security-constraint>
and this will protect my entire app. However, if I want form-based
security and say:
<login-config>
<auth-method>FORM</auth-method>
<realm-name>Example Form-Based Authentication Area</realm-name>
<form-login-config>
<form-login-page>/security/login/login.jsp</form-login-page>
<form-error-page>/security/login/error.jsp</form-error-page>
</form-login-config>
</login-config>
Tomcat will just go into a loop trying to access the login.jsp.
What to do?
I can re-define the url-patterns to specify all paths except the one
to /security, but this seems to create a real maintenance problem
and potential security hole (e.g., someone adds an app directory
and forgets to add it to the uer-pattern list.)
Am I missing some simple way of handling this?
Should Tomcat be doing something special to allow access to the
URLs specified in <form-login-config> without looping?
Frank Lawlor
Athens Group, Inc.
(512) 345-0600 x151
Athens Group, an employee-owned consulting firm integrating technology
strategy and software solutions.
Re: Structuring webapp for security
Posted by "mike.miller" <mi...@oracle.com>.
318pm, Today.
----- Original Message -----
From: "Frank Lawlor" <fr...@athensgroup.com>
To: "Tomcat (E-mail)" <to...@jakarta.apache.org>
Sent: Tuesday, October 09, 2001 8:47 AM
Subject: Structuring webapp for security
> I am interested in people's opinion on how to address the
> following question in webapp structure regarding security.
>
> If I use basic authentication for MyApp I can say in web.xml:
> <security-constraint>
> ...
> <!-- Define the context-relative URL(s) to be protected -->
> <url-pattern>/*</url-pattern>
> </security-constraint>
>
> and this will protect my entire app. However, if I want form-based
> security and say:
> <login-config>
> <auth-method>FORM</auth-method>
> <realm-name>Example Form-Based Authentication Area</realm-name>
> <form-login-config>
> <form-login-page>/security/login/login.jsp</form-login-page>
> <form-error-page>/security/login/error.jsp</form-error-page>
> </form-login-config>
> </login-config>
>
> Tomcat will just go into a loop trying to access the login.jsp.
>
> What to do?
>
> I can re-define the url-patterns to specify all paths except the one
> to /security, but this seems to create a real maintenance problem
> and potential security hole (e.g., someone adds an app directory
> and forgets to add it to the uer-pattern list.)
>
> Am I missing some simple way of handling this?
>
> Should Tomcat be doing something special to allow access to the
> URLs specified in <form-login-config> without looping?
>
> Frank Lawlor
> Athens Group, Inc.
> (512) 345-0600 x151
> Athens Group, an employee-owned consulting firm integrating technology
> strategy and software solutions.
>
>
>
>
Re: Structuring webapp for security
Posted by Rand McNeely <ra...@yahoo.com>.
Don't worry, Tomcat doesn't protect the forms specifed in the security
constraint.
----- Original Message -----
From: "Frank Lawlor" <fr...@athensgroup.com>
To: "Tomcat (E-mail)" <to...@jakarta.apache.org>
Sent: Tuesday, October 09, 2001 10:47 AM
Subject: Structuring webapp for security
> I am interested in people's opinion on how to address the
> following question in webapp structure regarding security.
>
> If I use basic authentication for MyApp I can say in web.xml:
> <security-constraint>
> ...
> <!-- Define the context-relative URL(s) to be protected -->
> <url-pattern>/*</url-pattern>
> </security-constraint>
>
> and this will protect my entire app. However, if I want form-based
> security and say:
> <login-config>
> <auth-method>FORM</auth-method>
> <realm-name>Example Form-Based Authentication Area</realm-name>
> <form-login-config>
> <form-login-page>/security/login/login.jsp</form-login-page>
> <form-error-page>/security/login/error.jsp</form-error-page>
> </form-login-config>
> </login-config>
>
> Tomcat will just go into a loop trying to access the login.jsp.
>
> What to do?
>
> I can re-define the url-patterns to specify all paths except the one
> to /security, but this seems to create a real maintenance problem
> and potential security hole (e.g., someone adds an app directory
> and forgets to add it to the uer-pattern list.)
>
> Am I missing some simple way of handling this?
>
> Should Tomcat be doing something special to allow access to the
> URLs specified in <form-login-config> without looping?
>
> Frank Lawlor
> Athens Group, Inc.
> (512) 345-0600 x151
> Athens Group, an employee-owned consulting firm integrating technology
> strategy and software solutions.
>
>
Re: Structuring webapp for security
Posted by Jeff Corliss <je...@yahoo.com>.
I had the same problem. What I did was just to change
the protected <url-pattern> to be less general and to
allow the login files to be available in a directory
outside of the protected area. Specifically:
In the web.xml, I used:
<security-constraint>
<web-resource-collection>
<web-resource-name>whatever</web-resource-name>
<!-- Define the context-relative URL(s) to be
protected -->
<url-pattern>/secured/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<!-- Anyone with one of the listed roles may
access this area -->
<role-name>whatever</role-name>
</auth-constraint>
</security-constraint>
The actual webapp directory then looks like this:
+webapps
+mywebapp
index.html in here (has link with href="secured"
to login)
+login
login.jsp in here
+secured
protected .jsps and other stuff in here
Also now you can "login protect" your servlets by
setting up servlet mappings in the web.xml such that
the url patterns start with /secured. For example:
<servlet>
<servlet-name>whatever</servlet-name>
<servlet-class>whatever</servlet-class>
</servlet>
<servlet-mapping>
<url-pattern>/secured/whatever</url-pattern>
<servlet-name>whatever</servlet-name>
</servlet-mapping>
*jc*
--- Frank Lawlor <fr...@athensgroup.com> wrote:
> I am interested in people's opinion on how to
> address the
> following question in webapp structure regarding
> security.
>
> If I use basic authentication for MyApp I can say in
> web.xml:
> <security-constraint>
> ...
> <!-- Define the context-relative URL(s) to
> be protected -->
> <url-pattern>/*</url-pattern>
> </security-constraint>
>
> and this will protect my entire app. However, if I
> want form-based
> security and say:
> <login-config>
> <auth-method>FORM</auth-method>
> <realm-name>Example Form-Based Authentication
> Area</realm-name>
> <form-login-config>
>
>
<form-login-page>/security/login/login.jsp</form-login-page>
>
>
<form-error-page>/security/login/error.jsp</form-error-page>
> </form-login-config>
> </login-config>
>
> Tomcat will just go into a loop trying to access the
> login.jsp.
>
> What to do?
>
> I can re-define the url-patterns to specify all
> paths except the one
> to /security, but this seems to create a real
> maintenance problem
> and potential security hole (e.g., someone adds an
> app directory
> and forgets to add it to the uer-pattern list.)
>
> Am I missing some simple way of handling this?
>
> Should Tomcat be doing something special to allow
> access to the
> URLs specified in <form-login-config> without
> looping?
>
> Frank Lawlor
> Athens Group, Inc.
> (512) 345-0600 x151
> Athens Group, an employee-owned consulting firm
> integrating technology
> strategy and software solutions.
>
>
>
__________________________________________________
Do You Yahoo!?
Make a great connection at Yahoo! Personals.
http://personals.yahoo.com
Re: Structuring webapp for security
Posted by "Craig R. McClanahan" <cr...@apache.org>.
Tomcat 3.2 (don't know about 3.3) doesn't handle the case where the login
page is inside the protected area correctly. It should work fine in 4.0
though.
Craig
On Tue, 9 Oct 2001, Frank Lawlor wrote:
> Date: Tue, 9 Oct 2001 10:47:34 -0500
> From: Frank Lawlor <fr...@athensgroup.com>
> Reply-To: tomcat-user@jakarta.apache.org, frank.lawlor@athensgroup.com
> To: "Tomcat (E-mail)" <to...@jakarta.apache.org>
> Subject: Structuring webapp for security
>
> I am interested in people's opinion on how to address the
> following question in webapp structure regarding security.
>
> If I use basic authentication for MyApp I can say in web.xml:
> <security-constraint>
> ...
> <!-- Define the context-relative URL(s) to be protected -->
> <url-pattern>/*</url-pattern>
> </security-constraint>
>
> and this will protect my entire app. However, if I want form-based
> security and say:
> <login-config>
> <auth-method>FORM</auth-method>
> <realm-name>Example Form-Based Authentication Area</realm-name>
> <form-login-config>
> <form-login-page>/security/login/login.jsp</form-login-page>
> <form-error-page>/security/login/error.jsp</form-error-page>
> </form-login-config>
> </login-config>
>
> Tomcat will just go into a loop trying to access the login.jsp.
>
> What to do?
>
> I can re-define the url-patterns to specify all paths except the one
> to /security, but this seems to create a real maintenance problem
> and potential security hole (e.g., someone adds an app directory
> and forgets to add it to the uer-pattern list.)
>
> Am I missing some simple way of handling this?
>
> Should Tomcat be doing something special to allow access to the
> URLs specified in <form-login-config> without looping?
>
> Frank Lawlor
> Athens Group, Inc.
> (512) 345-0600 x151
> Athens Group, an employee-owned consulting firm integrating technology
> strategy and software solutions.
>
>
>
>