You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by Jon Stevens <jo...@latchkey.com> on 2000/09/02 23:13:14 UTC
security-constraint
hey all,
Using latest tomcat in CVS.
I'm trying to setup BASIC auth security for a webapp context and it isn't
working at all.
I have a webapp/PROJECT/templates directory that I would like a BASIC auth
popup to appear on. I don't even care if there is no username/password right
now. I just want the popup to happen.
Here is what I have in my webapp/PROJECT/WEB-INF/web.xml:
<webapp>
<servlet>
...
</servlet>
<security-constraint>
<web-resource-collection>
<web-resource-name>templates</web-resource-name>
<url-pattern>/templates/*</url-pattern>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</web-resource-collection>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>Don't go there</realm-name>
</login-config>
</security-constraint>
</webapp>
The above doesn't work at all.
Any suggestions?
thanks,
-jon
--
http://scarab.tigris.org/ | http://noodle.tigris.org/
http://java.apache.org/ | http://java.apache.org/turbine/
http://www.working-dogs.com/ | http://jakarta.apache.org/velocity/
http://www.collab.net/ | http://www.sourcexchange.com/
Re: security-constraint
Posted by Jon Stevens <jo...@latchkey.com>.
on 9/2/2000 3:22 PM, "Hans Bergsten" <ha...@gefionsoftware.com> wrote:
> This is an example that works in TC 3.2 Beta 3:
Ok. that worked.
thanks,
-jon
--
http://scarab.tigris.org/ | http://noodle.tigris.org/
http://java.apache.org/ | http://java.apache.org/turbine/
http://www.working-dogs.com/ | http://jakarta.apache.org/velocity/
http://www.collab.net/ | http://www.sourcexchange.com/
Re: security-constraint
Posted by Hans Bergsten <ha...@gefionsoftware.com>.
Jon Stevens wrote:
>
> on 9/2/2000 2:31 PM, "Hans Bergsten" <ha...@gefionsoftware.com> wrote:
>
> > You don't specify who has access. Try adding an <auth-constraint>
> > element as well. Also, I'm not sure <transport-guarantee> is
> > implemented. What you specify here is that the resources must only
> > be made available if an HTTPS connection is used. Was that the
> > intention?
>
> Can I see a working example please? Reading and trying to figure out that
> DTD sucks. I can't tell what goes where or what does what and the
> documentation comments in it don't make much sense at all. :-(
This is an example that works in TC 3.2 Beta 3:
<security-constraint>
<web-resource-collection>
<web-resource-name>search</web-resource-name>
<url-pattern>/ch10/search/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>admin</role-name>
<role-name>user</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>ORA Examples</realm-name>
</login-config>
<security-role>admin</security-role>
<security-role>user</security-role>
It used to be possible to use an empty <auth-constraint> element in TC 3.1
to make it impossible for anyone to access a resource (e.g. for resources
that should only be accessed through a servlet using RD.forward()). In
TC 3.2, an empty element seems to make the resources accessible to anyone
without authentication. That looks like a bug to me ;-)
Hans
--
Hans Bergsten hans@gefionsoftware.com
Gefion Software http://www.gefionsoftware.com
Re: security-constraint
Posted by Jon Stevens <jo...@latchkey.com>.
on 9/2/2000 2:31 PM, "Hans Bergsten" <ha...@gefionsoftware.com> wrote:
> You don't specify who has access. Try adding an <auth-constraint>
> element as well. Also, I'm not sure <transport-guarantee> is
> implemented. What you specify here is that the resources must only
> be made available if an HTTPS connection is used. Was that the
> intention?
Can I see a working example please? Reading and trying to figure out that
DTD sucks. I can't tell what goes where or what does what and the
documentation comments in it don't make much sense at all. :-(
-jon
--
http://scarab.tigris.org/ | http://noodle.tigris.org/
http://java.apache.org/ | http://java.apache.org/turbine/
http://www.working-dogs.com/ | http://jakarta.apache.org/velocity/
http://www.collab.net/ | http://www.sourcexchange.com/
Re: security-constraint
Posted by Hans Bergsten <ha...@gefionsoftware.com>.
Jon Stevens wrote:
>
> hey all,
>
> Using latest tomcat in CVS.
>
> I'm trying to setup BASIC auth security for a webapp context and it isn't
> working at all.
>
> I have a webapp/PROJECT/templates directory that I would like a BASIC auth
> popup to appear on. I don't even care if there is no username/password right
> now. I just want the popup to happen.
>
> Here is what I have in my webapp/PROJECT/WEB-INF/web.xml:
>
> <webapp>
> <servlet>
> ...
> </servlet>
> <security-constraint>
> <web-resource-collection>
> <web-resource-name>templates</web-resource-name>
> <url-pattern>/templates/*</url-pattern>
> <user-data-constraint>
> <transport-guarantee>CONFIDENTIAL</transport-guarantee>
> </user-data-constraint>
> </web-resource-collection>
> <login-config>
> <auth-method>BASIC</auth-method>
> <realm-name>Don't go there</realm-name>
> </login-config>
> </security-constraint>
> </webapp>
>
> The above doesn't work at all.
>
> Any suggestions?
You don't specify who has access. Try adding an <auth-constraint>
element as well. Also, I'm not sure <transport-guarantee> is
implemented. What you specify here is that the resources must only
be made available if an HTTPS connection is used. Was that the
intention?
Hans
--
Hans Bergsten hans@gefionsoftware.com
Gefion Software http://www.gefionsoftware.com