You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Chris Chappell <ch...@dive100.freeserve.co.uk> on 2004/11/17 12:34:48 UTC
Realms and Static pages
Hi
How can I protect static pages on my Tomcat powered site with username/role + password information from my jdbc realm?
I have some help pages under /MyContext/help. I cannot find how to put them under /MyContext/WEB-INF/help.
Anybody help? (There's only a few static pages, so it would be overkill to run apache as well)
(Running 5.0.19)
Chris Chappell
Re: Realms and Static pages
Posted by Chris Chappell <ch...@dive100.freeserve.co.uk>.
QM
thanks - I was assuming a mapping between the (e.g.) "Configs" here for
servlet and web-resource-name,
which doesn't actually exist. Hence my befuddlement.
<servlet>
<servlet-name>Config</servlet-name>
<security-constraint>
<web-resource-collection>
<web-resource-name>Config</web-resource-name>
Chris
----- Original Message -----
From: "QM" <qm...@brandxdev.net>
To: "Tomcat Users List" <to...@jakarta.apache.org>
Sent: Thursday, November 18, 2004 12:01 AM
Subject: Re: Realms and Static pages
> On Wed, Nov 17, 2004 at 01:25:27PM -0000, Chris Chappell wrote:
> : Thanks QM but I' still not sure what to do!
>
> Please trust me, it's all in the spec...
>
>
> : In my web.xml I have for example (standard stuff!)
> :
> : <servlet>
> : <servlet-name>Config</servlet-name>
> : <servlet-class>org.myorg.config.Config</servlet-class>
> : </servlet>
> :
> : with a mapping and security contraint.
>
> It helps to show the entire file, since that's the root of the problem.
> ;)
>
>
> : I have searched throught the web.xml options below and cannot work out
which
> : one for static html pages.
>
> Try to think outside the box: are you trying to protect "static html
> pages" or just "certain regions (URIs) of the site?"
>
> Hint: you can map <security-constraint> to plain old URIs, not just
> servlet classes. Take a close look at the <url-pattern> tag...
>
> -QM
>
> --
>
> software -- http://www.brandxdev.net
> tech news -- http://www.RoarNetworX.com
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
Re: Realms and Static pages
Posted by QM <qm...@brandxdev.net>.
On Wed, Nov 17, 2004 at 01:25:27PM -0000, Chris Chappell wrote:
: Thanks QM but I' still not sure what to do!
Please trust me, it's all in the spec...
: In my web.xml I have for example (standard stuff!)
:
: <servlet>
: <servlet-name>Config</servlet-name>
: <servlet-class>org.myorg.config.Config</servlet-class>
: </servlet>
:
: with a mapping and security contraint.
It helps to show the entire file, since that's the root of the problem.
;)
: I have searched throught the web.xml options below and cannot work out which
: one for static html pages.
Try to think outside the box: are you trying to protect "static html
pages" or just "certain regions (URIs) of the site?"
Hint: you can map <security-constraint> to plain old URIs, not just
servlet classes. Take a close look at the <url-pattern> tag...
-QM
--
software -- http://www.brandxdev.net
tech news -- http://www.RoarNetworX.com
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
Re: Realms and Static pages
Posted by Chris Chappell <ch...@dive100.freeserve.co.uk>.
Thanks QM but I' still not sure what to do!
In my web.xml I have for example (standard stuff!)
<servlet>
<servlet-name>Config</servlet-name>
<servlet-class>org.myorg.config.Config</servlet-class>
</servlet>
with a mapping and security contraint.
I have searched throught the web.xml options below and cannot work out which one for static html pages.
Or do you you use servlet like
<servlet>
<servlet-name>HelpPage</servlet-name>
<servlet-class>/HelpPage.html</servlet-class>
</servlet>
with forward slash to show root context folder. I've serached high and low on the net - all the examples (and in the TC examples) don't restrict static pages.
I'm sure its easy when you know how, but .... :-)
<!--
"(icon?,display-name?,description?,distributable?,context-param*,filter*,filter-
mapping*,listener*,servlet*,servlet-mapping*,session-config?,mime-mapping*,welco
me-file-list?,error-page*,taglib*,resource-env-ref*,resource-ref*,security-const
raint*,login-config?,security-role*,env-entry*,ejb-ref*,ejb-local-ref*)".
-->
Chris Chappell
----- Original Message -----
From: "QM" <qm...@brandxdev.net>
To: "Tomcat Users List" <to...@jakarta.apache.org>
Sent: Wednesday, November 17, 2004 12:02 PM
Subject: Re: Realms and Static pages
> On Wed, Nov 17, 2004 at 11:34:48AM -0000, Chris Chappell wrote:
> : How can I protect static pages on my Tomcat powered site with username/role +
> : password information from my jdbc realm?
>
> Use the standard roles/auth constraints in web.xml. See the servlet
> spec, or some random servlet/JSP articles/books, for details.
>
>
> : I have some help pages under /MyContext/help. I cannot find how to put them
> : under /MyContext/WEB-INF/help.
> : Anybody help? (There's only a few static pages, so it would be overkill to run
> : apache as well)
>
> Yes: don't put them under WEB-INF unless you want to write code to serve
> them yourself. =) By default, files under WEB-INF are *not* available
> for standard requests (HTTP/GET, HTTP/POST, etc). This prevents
> would-be miscreants from downloading the app's code and config files.
>
>
> -QM
>
> --
>
> software -- http://www.brandxdev.net
> tech news -- http://www.RoarNetworX.com
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>
>
Re: Realms and Static pages
Posted by QM <qm...@brandxdev.net>.
On Wed, Nov 17, 2004 at 11:34:48AM -0000, Chris Chappell wrote:
: How can I protect static pages on my Tomcat powered site with username/role +
: password information from my jdbc realm?
Use the standard roles/auth constraints in web.xml. See the servlet
spec, or some random servlet/JSP articles/books, for details.
: I have some help pages under /MyContext/help. I cannot find how to put them
: under /MyContext/WEB-INF/help.
: Anybody help? (There's only a few static pages, so it would be overkill to run
: apache as well)
Yes: don't put them under WEB-INF unless you want to write code to serve
them yourself. =) By default, files under WEB-INF are *not* available
for standard requests (HTTP/GET, HTTP/POST, etc). This prevents
would-be miscreants from downloading the app's code and config files.
-QM
--
software -- http://www.brandxdev.net
tech news -- http://www.RoarNetworX.com
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org