You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@tomcat.apache.org by Jurn Ho <ju...@magicmonster.com> on 2009/03/04 15:31:12 UTC

security-constraint in conf/web.xml

Hello,

I've successfully added a security-constraint into the web.xml of a 
webapp so the user has to use a login to use the webapp.
Is it possible to move this config into the conf/web.xml instead?
I have tried this but the security-constraint affects other webapps.
I've tried changing the url-pattern to "/MyApp/*" but that doesn't work.

thanks,
Jurn




---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: security-constraint in conf/web.xml

Posted by Christopher Schultz <ch...@christopherschultz.net>.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Chuck,

On 3/4/2009 11:23 AM, Caldarale, Charles R wrote:
>> From: Christopher Schultz [mailto:chris@christopherschultz.net]
>> Subject: Re: security-constraint in conf/web.xml
>>
>> sf is expected to be used from within a web application, so
>> it has to be deployed along with the webapp. So, the WAR file
>> would have to be modified in this case.
> 
> Sorry, I was under the impression that one could place the security config outside of the webapp when using SecurityFilter; is that not the case?

No, securityfilter is implemented as a javax.servlet.Filter, so it's got
to be applied to the application itself. I suppose you could add its
definition to conf/web.xml but then the OP would be in the same
predicament: all web applications would go through the filter.

It's unclear to me where the configuration file for sf would go at that
point... since it expects to load it from the "starting" webapp. Perhaps
each web application would load its own? I dunno.

Our next version of sf should be Valve-able, which might open up other
opportunities.

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkmuw3QACgkQ9CaO5/Lv0PCz6QCdHx/OEm6fAjxGU4dGoWxyk7VA
/A4AoKN+DxIrKgsctjsIZBA8qXfz9pst
=1Nv/
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

RE: security-constraint in conf/web.xml

Posted by "Caldarale, Charles R" <Ch...@unisys.com>.

> From: Christopher Schultz [mailto:chris@christopherschultz.net]
> Subject: Re: security-constraint in conf/web.xml
>
> sf is expected to be used from within a web application, so
> it has to be deployed along with the webapp. So, the WAR file
> would have to be modified in this case.

Sorry, I was under the impression that one could place the security config outside of the webapp when using SecurityFilter; is that not the case?

 - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: security-constraint in conf/web.xml

Posted by Jurn Ho <ju...@magicmonster.com>.

Christopher Schultz wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Chuck,
>
> On 3/4/2009 10:01 AM, Caldarale, Charles R wrote:
>   
>>> From: Jurn Ho [mailto:jurn@magicmonster.com]
>>> Subject: Re: security-constraint in conf/web.xml
>>>
>>> ok, is there an easy way to require authentication to access a
>>> particular webapp, without modifying the war file?
>>>       
>> You can try using this:
>> http://securityfilter.sourceforge.net/
>>     
>
> sf is expected to be used from within a web application, so it has to be
> deployed along with the webapp. So, the WAR file would have to be
> modified in this case.
>
> To the OP: what's wrong with modifying the deployment descriptor of your
> webapp in order to .... describe the deployment of your webapp?
>   
Nothing wrong with that, it makes sense.
We had a request from a client to require authentication on a webapp 
they are testing out. On production we don't want the authentication.
If we could keep the wars exactly the same it would simplify things for 
operations.

Jurn

> - -chris
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iEYEARECAAYFAkmunGYACgkQ9CaO5/Lv0PDH7gCfeXg8Jk5tbdJfrLlpCPDg6iy3
> 5YgAn3IE6GVwEzPCU/XDdjdPZ/JRtMBP
> =blEV
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
>

Re: security-constraint in conf/web.xml

Posted by Christopher Schultz <ch...@christopherschultz.net>.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Chuck,

On 3/4/2009 10:01 AM, Caldarale, Charles R wrote:
>> From: Jurn Ho [mailto:jurn@magicmonster.com]
>> Subject: Re: security-constraint in conf/web.xml
>>
>> ok, is there an easy way to require authentication to access a
>> particular webapp, without modifying the war file?
> 
> You can try using this:
> http://securityfilter.sourceforge.net/

sf is expected to be used from within a web application, so it has to be
deployed along with the webapp. So, the WAR file would have to be
modified in this case.

To the OP: what's wrong with modifying the deployment descriptor of your
webapp in order to .... describe the deployment of your webapp?

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkmunGYACgkQ9CaO5/Lv0PDH7gCfeXg8Jk5tbdJfrLlpCPDg6iy3
5YgAn3IE6GVwEzPCU/XDdjdPZ/JRtMBP
=blEV
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

RE: security-constraint in conf/web.xml

Posted by "Caldarale, Charles R" <Ch...@unisys.com>.

> From: Jurn Ho [mailto:jurn@magicmonster.com]
> Subject: Re: security-constraint in conf/web.xml
>
> ok, is there an easy way to require authentication to access a
> particular webapp, without modifying the war file?

You can try using this:
http://securityfilter.sourceforge.net/

 - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: security-constraint in conf/web.xml

Posted by Jurn Ho <ju...@magicmonster.com>.

ok, is there an easy way to require authentication to access a 
particular webapp, without modifying the war file?

Caldarale, Charles R wrote:
>> From: Jurn Ho [mailto:jurn@magicmonster.com]
>> Subject: security-constraint in conf/web.xml
>>
>> Is it possible to move this config into the conf/web.xml instead?
>> I have tried this but the security-constraint affects other webapps.
>>     
>
> Which is exactly what conf/web.xml is supposed to do - it provides settings for *all* webapps.  Why did you expect something different?
>
>   
>> I've tried changing the url-pattern to "/MyApp/*" but that
>> doesn't work.
>>     
>
> Also expected; why did you think it would?  Read the servlet spec; the webapp path is not part of the URL pattern for a security constraint.
>
>  - Chuck
>
>
>

RE: security-constraint in conf/web.xml

Posted by "Caldarale, Charles R" <Ch...@unisys.com>.

> From: Jurn Ho [mailto:jurn@magicmonster.com]
> Subject: security-constraint in conf/web.xml
>
> Is it possible to move this config into the conf/web.xml instead?
> I have tried this but the security-constraint affects other webapps.

Which is exactly what conf/web.xml is supposed to do - it provides settings for *all* webapps.  Why did you expect something different?

> I've tried changing the url-pattern to "/MyApp/*" but that
> doesn't work.

Also expected; why did you think it would?  Read the servlet spec; the webapp path is not part of the URL pattern for a security constraint.

 - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org