You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Dennis Gormley <go...@hslc.org> on 2013/02/14 21:22:45 UTC
Password protecting directories in virtual hosts
Hello;
I've been struggling with this for a couple of weeks now. I've searched
web sites, forums and lists, but I can't seem to find the information I
want.
We have two web sites on a Tomcat 5.5 server (virtual hosts?). I didn't
set up the server, but I've been tasked to password protect a directory
on one of the sites. I've already successfully password protected a
directory one site (site1) using a MemoryRealm, , but would like to
protect another site (site2).
Here are the working <security-constraint> , <login-config>, and
<security-role> sections challange for UN/PW when a user tries to access
the directory on site1. It's located in
D:\Program Files\Apache Software Foundation\Tomcat 5.5\conf\web.xml
<!-- Begin code modified 20090320 by DJG to password protect Millennium
user directory -->
<security-constraint>
<web-resource-collection>
<web-resource-name>Test
Application</web-resource-name>
<url-pattern>/site1_staff/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>site1staff</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>Site1 Users</realm-name>
</login-config>
<security-role>
<description>The role that is required to log in to
the Manager Application</description>
<role-name>site1staff</role-name>
</security-role>
<!-- End code modified 20090320 by DJG to password protect Millennium
user directory -->
I tried to just change the relevant arguments of D:\Program
Files\Apache Software Foundation\Tomcat 5.5\conf\web.xml so a directory
on a site2 was password protected, but changing it (and restarting the
tomcat server) did not produce a challenge when going to this directory
<!-- Begin code modified 20120214 by DJG to password protect AskherePA
staff directory -->
<security-constraint>
<web-resource-collection>
<web-resource-name>Test
Application</web-resource-name>
<url-pattern>/site2/site2staff/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>site2staff</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>Site2 Staff</realm-name>
</login-config>
<security-role>
<description>The role that is required to log in to
the Manager Application</description>
<role-name>site2staff</role-name>
</security-role>
<!-- End code modified 220120214 by DJG to password protect AskherePA
staff directory -->
Here's the D:\Program Files\Apache Software Foundation\Tomcat
5.5\conf\tomcat-users.xml file
<?xml version='1.0' encoding='utf-8'?>
<tomcat-users>
<role rolename="site1staff"/>
<role rolename="site2staff"/>
<role rolename="tomcat"/>
<user username="tomcat" password="tomcat" roles="tomcat"/>
<user username="site1UN" password="site1PW" roles="site1staff"/>
<user username="site2UN" password="site2PW" roles="site2staff"/>
</tomcat-users>
The two directories appear in D:\Program Files\Apache Software
Foundation\Tomcat 5.5\webapps\cfusion\site1_staff and D:\Program
Files\Apache Software Foundation\Tomcat 5.5\webapps\cfusion\site2\site2staff
Of course, I would ideally like to password protect both directories on
both sites (and other directories on other sites as well), but if I can
get this working for now, my boss'll be happy!
Thanks!
Dennis Gormley
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Password protecting directories in virtual hosts
Posted by André Warnier <aw...@ice-sa.com>.
Dennis Gormley wrote:
>
> Hello;
>
> I've been struggling with this for a couple of weeks now. I've searched
> web sites, forums and lists, but I can't seem to find the information I
> want.
>
> We have two web sites on a Tomcat 5.5 server (virtual hosts?). I didn't
> set up the server, but I've been tasked to password protect a directory
> on one of the sites. I've already successfully password protected a
> directory one site (site1) using a MemoryRealm, , but would like to
> protect another site (site2).
>
> Here are the working <security-constraint> , <login-config>, and
> <security-role> sections challange for UN/PW when a user tries to access
> the directory on site1. It's located in
> D:\Program Files\Apache Software Foundation\Tomcat 5.5\conf\web.xml
>
> <!-- Begin code modified 20090320 by DJG to password protect Millennium
> user directory -->
>
> <security-constraint>
> <web-resource-collection>
> <web-resource-name>Test
> Application</web-resource-name>
> <url-pattern>/site1_staff/*</url-pattern>
>
> </web-resource-collection>
> <auth-constraint>
> <role-name>site1staff</role-name>
> </auth-constraint>
>
> </security-constraint>
>
> <login-config>
> <auth-method>BASIC</auth-method>
> <realm-name>Site1 Users</realm-name>
> </login-config>
>
> <security-role>
> <description>The role that is required to log in to
> the Manager Application</description>
> <role-name>site1staff</role-name>
> </security-role>
>
> <!-- End code modified 20090320 by DJG to password protect Millennium
> user directory -->
>
> I tried to just change the relevant arguments of D:\Program
> Files\Apache Software Foundation\Tomcat 5.5\conf\web.xml so a directory
> on a site2 was password protected, but changing it (and restarting the
> tomcat server) did not produce a challenge when going to this directory
>
> <!-- Begin code modified 20120214 by DJG to password protect AskherePA
> staff directory -->
>
> <security-constraint>
> <web-resource-collection>
> <web-resource-name>Test
> Application</web-resource-name>
> <url-pattern>/site2/site2staff/*</url-pattern>
>
> </web-resource-collection>
> <auth-constraint>
> <role-name>site2staff</role-name>
> </auth-constraint>
>
> </security-constraint>
>
> <login-config>
> <auth-method>BASIC</auth-method>
> <realm-name>Site2 Staff</realm-name>
> </login-config>
>
> <security-role>
> <description>The role that is required to log in to
> the Manager Application</description>
> <role-name>site2staff</role-name>
> </security-role>
>
> <!-- End code modified 220120214 by DJG to password protect AskherePA
> staff directory -->
>
> Here's the D:\Program Files\Apache Software Foundation\Tomcat
> 5.5\conf\tomcat-users.xml file
>
> <?xml version='1.0' encoding='utf-8'?>
> <tomcat-users>
> <role rolename="site1staff"/>
> <role rolename="site2staff"/>
> <role rolename="tomcat"/>
>
>
>
> <user username="tomcat" password="tomcat" roles="tomcat"/>
> <user username="site1UN" password="site1PW" roles="site1staff"/>
> <user username="site2UN" password="site2PW" roles="site2staff"/>
> </tomcat-users>
>
> The two directories appear in D:\Program Files\Apache Software
> Foundation\Tomcat 5.5\webapps\cfusion\site1_staff and D:\Program
> Files\Apache Software Foundation\Tomcat
> 5.5\webapps\cfusion\site2\site2staff
>
>
> Of course, I would ideally like to password protect both directories on
> both sites (and other directories on other sites as well), but if I can
> get this working for now, my boss'll be happy!
>
Hi.
You probably should not be touching (have been touching) the file D:\Program Files\Apache
Software Foundation\Tomcat 5.5\conf\web.xml . Hopefully you kept a backup of the original.
Can you paste here the file D:\Program Files\Apache Software Foundation\Tomcat
5.5\conf\server.xml ? (remove or obscure any confidential information).
Someone may be able to give you a better way than fiddling with the default web.xml.
This being said, Tomcat 5.5 is very old and either not supported anymore, or about to
become unsupported. The current version is Tomcat 7.0.35.
See here : http://tomcat.apache.org/whichversion.html
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Password protecting directories in virtual hosts
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Dennis,
On 2/14/13 3:22 PM, Dennis Gormley wrote:
> We have two web sites on a Tomcat 5.5 server (virtual hosts?).
You should upgrade as soon as possible: Tomcat 5.5 is not longer
supported. You should move to Tomcat 7.0 at your earliest convenience.
It might not be important, but you should find out if you are using
virtual hosting or not. A typical Tomcat configuration does not use
virtual hosting, as the server will respond to any request and route
it to the "default" host.
> I didn't set up the server, but I've been tasked to password
> protect a directory on one of the sites. I've already successfully
> password protected a directory one site (site1) using a
> MemoryRealm, , but would like to protect another site (site2).
Note that MemoryRealm is not very good, unless you just want to use
something like a few global "admin" passwords. You're better off using
something backed by a database or LDAP, so you can actually change
things without having to restart Tomcat.
> Here are the working <security-constraint> , <login-config>, and
> <security-role> sections challange for UN/PW when a user tries to
> access the directory on site1. It's located in D:\Program
> Files\Apache Software Foundation\Tomcat 5.5\conf\web.xml
That is the site-wide web.xml file, and you shouldn't be modifying it.
This is likely the problem.
Instead, you want to find the web.xml file that is specific for each
individual webapp. Those files can be in a number of places, so I'll
start with the easiest to find and go toward the trickiest.
1. In ....\Tomcat 5.5\webapps\[webappname]\WEB-INF\web.xml
2. In ....\Tomcat 5.5\webapps\[webappname].war (in WEB-INF/web.xml)
3. Look in ...\Tomcat 5.5\conf\[engine]\[host]\[webappname].xml
There may be a "docBase" attribute in the <Context> element. That
will tell you where the webapp is located on the disk. Look under
there in WEB-INF/web.xml or, if it's a WAR file, you may have to
extract it from the WAR before looking at it.
> <security-constraint> <web-resource-collection>
> <web-resource-name>Test Application</web-resource-name>
> <url-pattern>/site1_staff/*</url-pattern>
>
> </web-resource-collection> <auth-constraint>
> <role-name>site1staff</role-name> </auth-constraint>
>
> </security-constraint>
>
> <login-config> <auth-method>BASIC</auth-method> <realm-name>Site1
> Users</realm-name> </login-config>
That looks like the kind of thing you'd have to do in order to secure
a directory. Note that you aren't securing a directory: you are
securing a URL pattern. The fact that URL patterns are mapped to a
physical place on the disk is a (very convenient) coincidence. I just
mention that because there are ways to alias URLs and disk-paths to
get around these restrictions. Apache httpd (the web server) can
protect physical directories and URL "locations" separately (where the
dir-based protection is slightly more secure for on-disk resources)
but Tomcat can only protect URLs.
Editing the site-wide configuration is likely to be a problem, because
each <security-constraint> is context-scoped (that is, scoped to the
webapp) and so you don't need the leading "/webappname". Let's find
your individual web.xml files and start there.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEAREIAAYFAlEdVoEACgkQ9CaO5/Lv0PAVtQCdGtyWcg8CMWRwznPPcYZKrS3D
pr8AoJpHG66cImxpDC08Y6BRRDruXZOZ
=DY4B
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Password protecting directories in virtual hosts
Posted by Luciano Andress Martini <77...@gmail.com>.
The easy way is to use a reverse proxy as apache2 in front-side, in another
words, use the traditional apache2 with modproxy to display the tomcat6
pages. Its very easy to do it!
2013/2/14 Dennis Gormley <go...@hslc.org>
>
> Hello;
>
> I've been struggling with this for a couple of weeks now. I've searched
> web sites, forums and lists, but I can't seem to find the information I
> want.
>
> We have two web sites on a Tomcat 5.5 server (virtual hosts?). I didn't
> set up the server, but I've been tasked to password protect a directory on
> one of the sites. I've already successfully password protected a directory
> one site (site1) using a MemoryRealm, , but would like to protect another
> site (site2).
>
> Here are the working <security-constraint> , <login-config>, and
> <security-role> sections challange for UN/PW when a user tries to access
> the directory on site1. It's located in
> D:\Program Files\Apache Software Foundation\Tomcat 5.5\conf\web.xml
>
> <!-- Begin code modified 20090320 by DJG to password protect Millennium
> user directory -->
>
> <security-constraint>
> <web-resource-collection>
> <web-resource-name>Test Application</web-resource-*
> *name>
> <url-pattern>/site1_staff/*</**url-pattern>
>
> </web-resource-collection>
> <auth-constraint>
> <role-name>site1staff</role-**name>
> </auth-constraint>
>
> </security-constraint>
>
> <login-config>
> <auth-method>BASIC</auth-**method>
> <realm-name>Site1 Users</realm-name>
> </login-config>
>
> <security-role>
> <description>The role that is required to log in to
> the Manager Application</description>
> <role-name>site1staff</role-**name>
> </security-role>
>
> <!-- End code modified 20090320 by DJG to password protect Millennium user
> directory -->
>
> I tried to just change the relevant arguments of D:\Program Files\Apache
> Software Foundation\Tomcat 5.5\conf\web.xml so a directory on a site2 was
> password protected, but changing it (and restarting the tomcat server) did
> not produce a challenge when going to this directory
>
> <!-- Begin code modified 20120214 by DJG to password protect AskherePA
> staff directory -->
>
> <security-constraint>
> <web-resource-collection>
> <web-resource-name>Test Application</web-resource-
> **name>
> <url-pattern>/site2/**site2staff/*</url-pattern>
>
> </web-resource-collection>
> <auth-constraint>
> <role-name>site2staff</role-**name>
> </auth-constraint>
>
> </security-constraint>
>
> <login-config>
> <auth-method>BASIC</auth-**method>
> <realm-name>Site2 Staff</realm-name>
> </login-config>
>
> <security-role>
> <description>The role that is required to log in to
> the Manager Application</description>
> <role-name>site2staff</role-**name>
> </security-role>
>
> <!-- End code modified 220120214 by DJG to password protect AskherePA
> staff directory -->
>
> Here's the D:\Program Files\Apache Software Foundation\Tomcat
> 5.5\conf\tomcat-users.xml file
>
> <?xml version='1.0' encoding='utf-8'?>
> <tomcat-users>
> <role rolename="site1staff"/>
> <role rolename="site2staff"/>
> <role rolename="tomcat"/>
>
>
>
> <user username="tomcat" password="tomcat" roles="tomcat"/>
> <user username="site1UN" password="site1PW" roles="site1staff"/>
> <user username="site2UN" password="site2PW" roles="site2staff"/>
> </tomcat-users>
>
> The two directories appear in D:\Program Files\Apache Software
> Foundation\Tomcat 5.5\webapps\cfusion\site1_**staff and D:\Program
> Files\Apache Software Foundation\Tomcat 5.5\webapps\cfusion\site2\**
> site2staff
>
>
> Of course, I would ideally like to password protect both directories on
> both sites (and other directories on other sites as well), but if I can get
> this working for now, my boss'll be happy!
>
> Thanks!
>
> Dennis Gormley
>
> ------------------------------**------------------------------**---------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.**apache.org<us...@tomcat.apache.org>
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>