You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@tomcat.apache.org by "sams@mediateam.de" <sa...@mediateam.de> on 2003/08/29 12:01:52 UTC

Broken?: security constraint for actions

Hello, 

I have set up a struts-like web app running under Tomcat 4.1.27 on
win2000 and JDK1.4.2.  I want to restrict access parts of my app based
on the "action" parameter in the URL.  That is, calls to 

/controller?action=deposit

can be made by members of the group "user".  But, say, calls to

/controller?action=withdraw

can only be made by member of the group "admin".

How can I protect these resources?  If I try to use


    <security-constraint>
        <web-resource-collection>
            <web-resource-name>ListAccounts</web-resource-name>
            <description>The pages</description>
            <url-pattern>/controller?action=withdraw</url-pattern>
        </web-resource-collection>
        <auth-constraint>
            <role-name>admin</role-name>
        </auth-constraint>
    </security-constraint> 

The container ignores the constraint.  What is wrong here?

Also, I have seen web.xml files in which classes themselves are
constrained via a url-pattern such as

<url-pattern>/WEB-INF/classes/a/b/Foo.class</url-pattern>

If I try to use such restraints in Tomcat, they are not honored.

Any ideas or references?

Thanks

Bruce Sams

=====
Dr. Bruce J. Sams, III
mediateam
Weidenweg 2, 85375 Neufahrn
Germany
tel: +49 (0) 8165/65095  
fax: +49 (0) 8165/65096 
web: http://www.mediateam.de


This communication may contain privileged 
information. If you are not the intended recipient 
please notify the sender immediately and destroy this e-mail.

All unauthorised copying, disclosure or distribution of  the 
material in  this e-mail or of parts hereof is strictly forbidden.

Re: Broken?: security constraint for actions

Posted by Tim Funk <fu...@joedog.org>.

You can't use query strings in security constraints.

You can always to programmtic authorization via request.isUserInRole(userName)

-Tim

sams@mediateam.de wrote:

> Hello, 
> 
> I have set up a struts-like web app running under Tomcat 4.1.27 on
> win2000 and JDK1.4.2.  I want to restrict access parts of my app based
> on the "action" parameter in the URL.  That is, calls to 
> 
> /controller?action=deposit
> 
> can be made by members of the group "user".  But, say, calls to
> 
> /controller?action=withdraw
> 
> can only be made by member of the group "admin".
> 
> How can I protect these resources?  If I try to use
> 
> 
>     <security-constraint>
>         <web-resource-collection>
>             <web-resource-name>ListAccounts</web-resource-name>
>             <description>The pages</description>
>             <url-pattern>/controller?action=withdraw</url-pattern>
>         </web-resource-collection>
>         <auth-constraint>
>             <role-name>admin</role-name>
>         </auth-constraint>
>     </security-constraint> 
> 
> The container ignores the constraint.  What is wrong here?
> 
> Also, I have seen web.xml files in which classes themselves are
> constrained via a url-pattern such as
> 
> <url-pattern>/WEB-INF/classes/a/b/Foo.class</url-pattern>
> 
> If I try to use such restraints in Tomcat, they are not honored.
> 
> Any ideas or references?
>

Re: Broken?: security constraint for actions

Posted by ToFu <su...@spankhouse.com>.

Perhaps you should try using distinct directories instead?  That should work
a little more cleanly.


Todd


----- Original Message -----
From: <sa...@mediateam.de>
To: "Tomcat Users List" <to...@jakarta.apache.org>
Sent: Friday, August 29, 2003 3:01 AM
Subject: Broken?: security constraint for actions


> Hello,
>
> I have set up a struts-like web app running under Tomcat 4.1.27 on
> win2000 and JDK1.4.2.  I want to restrict access parts of my app based
> on the "action" parameter in the URL.  That is, calls to
>
> /controller?action=deposit
>
> can be made by members of the group "user".  But, say, calls to
>
> /controller?action=withdraw
>
> can only be made by member of the group "admin".
>
> How can I protect these resources?  If I try to use
>
>
>     <security-constraint>
>         <web-resource-collection>
>             <web-resource-name>ListAccounts</web-resource-name>
>             <description>The pages</description>
>             <url-pattern>/controller?action=withdraw</url-pattern>
>         </web-resource-collection>
>         <auth-constraint>
>             <role-name>admin</role-name>
>         </auth-constraint>
>     </security-constraint>
>
> The container ignores the constraint.  What is wrong here?
>
> Also, I have seen web.xml files in which classes themselves are
> constrained via a url-pattern such as
>
> <url-pattern>/WEB-INF/classes/a/b/Foo.class</url-pattern>
>
> If I try to use such restraints in Tomcat, they are not honored.
>
> Any ideas or references?
>
> Thanks
>
> Bruce Sams
>
> =====
> Dr. Bruce J. Sams, III
> mediateam
> Weidenweg 2, 85375 Neufahrn
> Germany
> tel: +49 (0) 8165/65095
> fax: +49 (0) 8165/65096
> web: http://www.mediateam.de
>
>
> This communication may contain privileged
> information. If you are not the intended recipient
> please notify the sender immediately and destroy this e-mail.
>
> All unauthorised copying, disclosure or distribution of  the
> material in  this e-mail or of parts hereof is strictly forbidden.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>
>
>