You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by "sams@mediateam.de" <sa...@mediateam.de> on 2003/08/29 12:01:52 UTC
Broken?: security constraint for actions
Hello,
I have set up a struts-like web app running under Tomcat 4.1.27 on
win2000 and JDK1.4.2. I want to restrict access parts of my app based
on the "action" parameter in the URL. That is, calls to
/controller?action=deposit
can be made by members of the group "user". But, say, calls to
/controller?action=withdraw
can only be made by member of the group "admin".
How can I protect these resources? If I try to use
<security-constraint>
<web-resource-collection>
<web-resource-name>ListAccounts</web-resource-name>
<description>The pages</description>
<url-pattern>/controller?action=withdraw</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>admin</role-name>
</auth-constraint>
</security-constraint>
The container ignores the constraint. What is wrong here?
Also, I have seen web.xml files in which classes themselves are
constrained via a url-pattern such as
<url-pattern>/WEB-INF/classes/a/b/Foo.class</url-pattern>
If I try to use such restraints in Tomcat, they are not honored.
Any ideas or references?
Thanks
Bruce Sams
=====
Dr. Bruce J. Sams, III
mediateam
Weidenweg 2, 85375 Neufahrn
Germany
tel: +49 (0) 8165/65095
fax: +49 (0) 8165/65096
web: http://www.mediateam.de
This communication may contain privileged
information. If you are not the intended recipient
please notify the sender immediately and destroy this e-mail.
All unauthorised copying, disclosure or distribution of the
material in this e-mail or of parts hereof is strictly forbidden.
Re: Broken?: security constraint for actions
Posted by Tim Funk <fu...@joedog.org>.
You can't use query strings in security constraints.
You can always to programmtic authorization via request.isUserInRole(userName)
-Tim
sams@mediateam.de wrote:
> Hello,
>
> I have set up a struts-like web app running under Tomcat 4.1.27 on
> win2000 and JDK1.4.2. I want to restrict access parts of my app based
> on the "action" parameter in the URL. That is, calls to
>
> /controller?action=deposit
>
> can be made by members of the group "user". But, say, calls to
>
> /controller?action=withdraw
>
> can only be made by member of the group "admin".
>
> How can I protect these resources? If I try to use
>
>
> <security-constraint>
> <web-resource-collection>
> <web-resource-name>ListAccounts</web-resource-name>
> <description>The pages</description>
> <url-pattern>/controller?action=withdraw</url-pattern>
> </web-resource-collection>
> <auth-constraint>
> <role-name>admin</role-name>
> </auth-constraint>
> </security-constraint>
>
> The container ignores the constraint. What is wrong here?
>
> Also, I have seen web.xml files in which classes themselves are
> constrained via a url-pattern such as
>
> <url-pattern>/WEB-INF/classes/a/b/Foo.class</url-pattern>
>
> If I try to use such restraints in Tomcat, they are not honored.
>
> Any ideas or references?
>
Re: Broken?: security constraint for actions
Posted by ToFu <su...@spankhouse.com>.
Perhaps you should try using distinct directories instead? That should work
a little more cleanly.
Todd
----- Original Message -----
From: <sa...@mediateam.de>
To: "Tomcat Users List" <to...@jakarta.apache.org>
Sent: Friday, August 29, 2003 3:01 AM
Subject: Broken?: security constraint for actions
> Hello,
>
> I have set up a struts-like web app running under Tomcat 4.1.27 on
> win2000 and JDK1.4.2. I want to restrict access parts of my app based
> on the "action" parameter in the URL. That is, calls to
>
> /controller?action=deposit
>
> can be made by members of the group "user". But, say, calls to
>
> /controller?action=withdraw
>
> can only be made by member of the group "admin".
>
> How can I protect these resources? If I try to use
>
>
> <security-constraint>
> <web-resource-collection>
> <web-resource-name>ListAccounts</web-resource-name>
> <description>The pages</description>
> <url-pattern>/controller?action=withdraw</url-pattern>
> </web-resource-collection>
> <auth-constraint>
> <role-name>admin</role-name>
> </auth-constraint>
> </security-constraint>
>
> The container ignores the constraint. What is wrong here?
>
> Also, I have seen web.xml files in which classes themselves are
> constrained via a url-pattern such as
>
> <url-pattern>/WEB-INF/classes/a/b/Foo.class</url-pattern>
>
> If I try to use such restraints in Tomcat, they are not honored.
>
> Any ideas or references?
>
> Thanks
>
> Bruce Sams
>
> =====
> Dr. Bruce J. Sams, III
> mediateam
> Weidenweg 2, 85375 Neufahrn
> Germany
> tel: +49 (0) 8165/65095
> fax: +49 (0) 8165/65096
> web: http://www.mediateam.de
>
>
> This communication may contain privileged
> information. If you are not the intended recipient
> please notify the sender immediately and destroy this e-mail.
>
> All unauthorised copying, disclosure or distribution of the
> material in this e-mail or of parts hereof is strictly forbidden.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>
>
>