You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Mighty Tornado <mi...@gmail.com> on 2009/04/22 15:42:10 UTC
Tomcat Security and Struts
Tomcat 6Struts 1.3
OS: MacOS X - Leopard
Hi,
I am trying to make sure my app requires a login. So I configured the
following in my deployment descriptor:
<security-constraint>
<web-resource-collection>
<web-resource-name>admin</web-resource-name>
<url-pattern>*.do</url-pattern>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>member</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/WEB-INF/JSP/login.jsp</form-login-page>
<form-error-page>/WEB-INF/JSP/loginError.jsp</form-error-page>
</form-login-config>
</login-config>
However, when I follow the links in my app the login page doesn't come in.
Any ideas as to what I am doing wrong?
Thanks.
Re: Tomcat Security and Struts
Posted by Mighty Tornado <mi...@gmail.com>.
You are right:
I just fixed this mistake - added
<security-role>
<role-name>member</role-name>
</security-role>
into my web.xml
However, when I try to access my URL the browser gives me the following
message:
Data Transfer Interrupted
On Wed, Apr 22, 2009 at 10:26 AM, Caldarale, Charles R <
Chuck.Caldarale@unisys.com> wrote:
> > From: Mighty Tornado [mailto:mighty.tornado@gmail.com]
> > Subject: Tomcat Security and Struts
> >
> > I am trying to make sure my app requires a login. So I configured the
> > following in my deployment descriptor:
> >
> > <security-constraint>
> > <web-resource-collection>
> > <web-resource-name>admin</web-resource-name>
> > <url-pattern>*.do</url-pattern>
> > <http-method>POST</http-method>
> > </web-resource-collection>
> > <auth-constraint>
> > <role-name>member</role-name>
> > </auth-constraint>
> > <user-data-constraint>
> > <transport-guarantee>CONFIDENTIAL</transport-guarantee>
> > </user-data-constraint>
> > </security-constraint>
> > <login-config>
> > <auth-method>FORM</auth-method>
> > <form-login-config>
> > <form-login-page>/WEB-INF/JSP/login.jsp</form-login-page>
> > <form-error-page>/WEB-INF/JSP/loginError.jsp</form-error-page>
> > </form-login-config>
> > </login-config>
>
> Where is your <security-role> section?
>
> - Chuck
>
>
> THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
> MATERIAL and is thus for use only by the intended recipient. If you received
> this in error, please contact the sender and delete the e-mail and its
> attachments from all computers.
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
RE: Tomcat Security and Struts
Posted by "Caldarale, Charles R" <Ch...@unisys.com>.
> From: Mighty Tornado [mailto:mighty.tornado@gmail.com]
> Subject: Tomcat Security and Struts
>
> I am trying to make sure my app requires a login. So I configured the
> following in my deployment descriptor:
>
> <security-constraint>
> <web-resource-collection>
> <web-resource-name>admin</web-resource-name>
> <url-pattern>*.do</url-pattern>
> <http-method>POST</http-method>
> </web-resource-collection>
> <auth-constraint>
> <role-name>member</role-name>
> </auth-constraint>
> <user-data-constraint>
> <transport-guarantee>CONFIDENTIAL</transport-guarantee>
> </user-data-constraint>
> </security-constraint>
> <login-config>
> <auth-method>FORM</auth-method>
> <form-login-config>
> <form-login-page>/WEB-INF/JSP/login.jsp</form-login-page>
> <form-error-page>/WEB-INF/JSP/loginError.jsp</form-error-page>
> </form-login-config>
> </login-config>
Where is your <security-role> section?
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Tomcat Security and Struts
Posted by "Caldarale, Charles R" <Ch...@unisys.com>.
> From: Mighty Tornado [mailto:mighty.tornado@gmail.com]
> Subject: Re: Tomcat Security and Struts
>
> Firefox can't establish a connection to the
> server at localhost:8443
You need to define a secure <Connector> for port 8443.
> But Tomcat is supposed to listen on port 8080
You can't run both HTTP and HTTPS on the same port. Since you specified a <transport-guarantee> of CONFIDENTIAL, you're requiring use of HTTPS. Your HTTP <Connector> is likely configured to forward secure requests to 8443.
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat Security and Struts
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hassan,
On 4/22/2009 2:45 PM, Hassan Schroeder wrote:
> On Wed, Apr 22, 2009 at 11:43 AM, Mighty Tornado
> <mi...@gmail.com> wrote:
>> How can I make the request to port 8443 actually succeed?
>
> Configure an https Connector.
And correctly set your "redirectPort" in the non-secure Connector.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAknvbKAACgkQ9CaO5/Lv0PDclACgvKUqGHp2wqFbxMqw5xdcZenG
5ccAmwdPTj5V3EeJKccuJ3Kz6Gr9uCPh
=w34K
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat Security and Struts
Posted by Hassan Schroeder <ha...@gmail.com>.
On Wed, Apr 22, 2009 at 11:43 AM, Mighty Tornado
<mi...@gmail.com> wrote:
> How can I make the request to port 8443 actually succeed?
Configure an https Connector.
--
Hassan Schroeder ------------------------ hassan.schroeder@gmail.com
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat Security and Struts
Posted by Mighty Tornado <mi...@gmail.com>.
How can I make the request to port 8443 actually succeed?
On Wed, Apr 22, 2009 at 2:40 PM, Hassan Schroeder <
hassan.schroeder@gmail.com> wrote:
> On Wed, Apr 22, 2009 at 11:16 AM, Mighty Tornado
> <mi...@gmail.com> wrote:
> > I think the following might be a problem. When I access the application I
> > get this error in the browser:Firefox can't establish a connection to the
> > server at localhost:8443
> >
> > But Tomcat is supposed to listen on port 8080 - and it has been for my
> app,
> > until I put in the security feature.
> >
> > any way around this?
>
> Er, "way around"? You're *telling* it to use an SSL connection:
>
> <user-data-constraint>
> <transport-guarantee>CONFIDENTIAL</transport-guarantee>
> </user-data-constraint>
>
> If you don't want it to, don't do that. Pretty simple, really. :-)
>
> --
> Hassan Schroeder ------------------------ hassan.schroeder@gmail.com
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
Re: Tomcat Security and Struts
Posted by Hassan Schroeder <ha...@gmail.com>.
On Wed, Apr 22, 2009 at 11:16 AM, Mighty Tornado
<mi...@gmail.com> wrote:
> I think the following might be a problem. When I access the application I
> get this error in the browser:Firefox can't establish a connection to the
> server at localhost:8443
>
> But Tomcat is supposed to listen on port 8080 - and it has been for my app,
> until I put in the security feature.
>
> any way around this?
Er, "way around"? You're *telling* it to use an SSL connection:
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
If you don't want it to, don't do that. Pretty simple, really. :-)
--
Hassan Schroeder ------------------------ hassan.schroeder@gmail.com
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat Security and Struts
Posted by André Warnier <aw...@ice-sa.com>.
Mighty Tornado wrote:
> I think the following might be a problem. When I access the application I
> get this error in the browser:Firefox can't establish a connection to the
> server at localhost:8443
>
But did you not ask for this ?
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat Security and Struts
Posted by Mighty Tornado <mi...@gmail.com>.
I think the following might be a problem. When I access the application I
get this error in the browser:Firefox can't establish a connection to the
server at localhost:8443
But Tomcat is supposed to listen on port 8080 - and it has been for my app,
until I put in the security feature.
any way around this?
On Wed, Apr 22, 2009 at 1:05 PM, Caldarale, Charles R <
Chuck.Caldarale@unisys.com> wrote:
> > From: André Warnier [mailto:aw@ice-sa.com]
> > Subject: Re: Tomcat Security and Struts
> >
> > Maybe this : if the login page itself contains a link to a gif located
> > in the same area, trying to load that gif will also hit the
> > authentication bit, and trigger another login page, before the first
> > even finishes displaying ?
>
> Of course; I was thinking basic authentication, not form.
>
> - Chuck
>
>
> THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
> MATERIAL and is thus for use only by the intended recipient. If you received
> this in error, please contact the sender and delete the e-mail and its
> attachments from all computers.
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
RE: Tomcat Security and Struts
Posted by "Caldarale, Charles R" <Ch...@unisys.com>.
> From: André Warnier [mailto:aw@ice-sa.com]
> Subject: Re: Tomcat Security and Struts
>
> Maybe this : if the login page itself contains a link to a gif located
> in the same area, trying to load that gif will also hit the
> authentication bit, and trigger another login page, before the first
> even finishes displaying ?
Of course; I was thinking basic authentication, not form.
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat Security and Struts
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
André,
On 4/22/2009 12:37 PM, André Warnier wrote:
> Caldarale, Charles R wrote:
>>> From: Mikolaj Rydzewski [mailto:miki@ceti.pl]
>>> Subject: Re: Tomcat Security and Struts
>>>
>>> Mark Thomas wrote:
>>>> <url-pattern>/*</url-pattern> will protect everything.
>>>>
>>> If your login page uses any external assets (images, stylesheets,
>>> etc), it will become corrupted (assets won't load).
>>
>> Care to explain that? The above construct seems to work fine for our
>> static resources.
>>
> Maybe this : if the login page itself contains a link to a gif located
> in the same area, trying to load that gif will also hit the
> authentication bit, and trigger another login page, before the first
> even finishes displaying ?
Precisely. Unfortunately, this actually makes things worse than you
might think, since (some versions of) Tomcat stores the most recent
request as the one to re-play after successful authentication.
I have seen Tomcat respond post-authentication by serving a CSS file or
graphic rather than the "expected" original request (usually an HTML
page). The solution, of course, is to leave your (appropriate) static
content unprotected.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEUEARECAAYFAknvbEkACgkQ9CaO5/Lv0PAavQCYj4ULwKXkFPd5K1wu1nJXpz+C
fQCgoRTZnjyJaoEFQE1pkMgJ+bb7MjQ=
=ewii
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat Security and Struts
Posted by André Warnier <aw...@ice-sa.com>.
Caldarale, Charles R wrote:
>> From: Mikolaj Rydzewski [mailto:miki@ceti.pl]
>> Subject: Re: Tomcat Security and Struts
>>
>> Mark Thomas wrote:
>>> <url-pattern>/*</url-pattern> will protect everything.
>>>
>> If your login page uses any external assets (images, stylesheets,
>> etc), it will become corrupted (assets won't load).
>
> Care to explain that? The above construct seems to work fine for our static resources.
>
Maybe this : if the login page itself contains a link to a gif located
in the same area, trying to load that gif will also hit the
authentication bit, and trigger another login page, before the first
even finishes displaying ?
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Tomcat Security and Struts
Posted by "Caldarale, Charles R" <Ch...@unisys.com>.
> From: Mikolaj Rydzewski [mailto:miki@ceti.pl]
> Subject: Re: Tomcat Security and Struts
>
> Mark Thomas wrote:
> > <url-pattern>/*</url-pattern> will protect everything.
> >
> If your login page uses any external assets (images, stylesheets,
> etc), it will become corrupted (assets won't load).
Care to explain that? The above construct seems to work fine for our static resources.
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat Security and Struts
Posted by Mikolaj Rydzewski <mi...@ceti.pl>.
Mark Thomas wrote:
> <url-pattern>/*</url-pattern> will protect everything.
>
If your login page uses any external assets (images, stylesheets, etc),
it will become corrupted (assets won't load).
--
Mikolaj Rydzewski <mi...@ceti.pl>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat Security and Struts
Posted by Mark Thomas <ma...@apache.org>.
Mighty Tornado wrote:
> Tomcat 6Struts 1.3
> OS: MacOS X - Leopard
>
> Hi,
>
> I am trying to make sure my app requires a login. So I configured the
> <url-pattern>*.do</url-pattern>
<url-pattern>/*</url-pattern> will protect everything.
> <http-method>POST</http-method>
This only protects the POST method. GETs will not be restricted. I'd
remove this line.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat Security and Struts
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Mikolaj,
On 4/22/2009 9:58 AM, Mikolaj Rydzewski wrote:
> Mighty Tornado wrote:
> I'm not sure if login page will work if it is located under WEB-INF
> directory.
Of course it will. There's nothing special about the WEB-INF directory
that would prevent it from working.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAknvQKEACgkQ9CaO5/Lv0PCZ+ACgibpOwt8pKTsKZ0uVIqcRA3O+
yVAAn0BoEp255y/eXE3owWSWNRhs/s52
=Er+e
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat Security and Struts
Posted by Mikolaj Rydzewski <mi...@ceti.pl>.
Mighty Tornado wrote:
> <http-method>POST</http-method>
>
Why do you want to restrict access only to requests with POST method? I
usually do not use http-method element.
> <form-login-page>/WEB-INF/JSP/login.jsp</form-login-page>
>
I'm not sure if login page will work if it is located under WEB-INF
directory.
--
Mikolaj Rydzewski <mi...@ceti.pl>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org