You are viewing a plain text version of this content. The canonical link for it is here.
Posted to general@jakarta.apache.org by "Bail . Jeff" <JB...@drc.com> on 2000/02/08 22:53:29 UTC
Apache+Tomcat Security
I have a JSP application which I'd like to password protect with Apache.
Once I setup my application using "method 2" from the Apache Tomcat HOWTO, I
was able to use Apache's security to protect my pages. The only problem is
that Tomcat will still serve up the pages without any security on port 8080.
The simplest solution would be to block external access to that port, but I
was wondering if there was a better way. I realize it probably wouldn't be
that hard to build the login into my JSP page, but I need reliable, tested &
true security right away. Thanks for any ideas.
Jeff Bail...
Re: Apache+Tomcat Security
Posted by Lim Swee Tat <li...@ncs.com.sg>.
Oooppps... Dismiss my previous message... It still does not do the required
authentication... HTTP/1.1
--
Lim Swee Tat
Software Engineer
NCS Corporate IS Dept
DID: (65) 774 9177
Re: Apache+Tomcat Security
Posted by Lim Swee Tat <li...@ncs.com.sg>.
Basically the problem is solved now, I'll share the solution with
everyone...
The thing is that you need to get ApJServMount to do:
ApJServMount default /root
The following is wrong:
ApJServMount /servlet /root
Then you do:
><Location /WEB-INF >
> AllowOverride None
> order deny,allow
> deny from all
>> AuthType Basic
>> <...AuthInfo...>
>> require valid-user
></Location>
The "/" _is_ significant.
>> My server.xml has the lines:
>> <Context path="/examples" docBase="/opt/<somedirectory>"
>> ...>
Hope this helps...
Ciao
ST Lim
--
Lim Swee Tat
Software Engineer
NCS Corporate IS Dept
DID: (65) 774 9177
Re: Apache+Tomcat Security
Posted by pauly <pa...@x-radio.com>.
I had this problem too. This is what mine looks like now and it works. I'm
protecting the root path:
<Location /WEB-INF >
AllowOverride None
order deny,allow
deny from all
</Location>
i think the trailing "/" might be significant
Lim Swee Tat wrote:
> Hi,
> I'll like to know how you did that... I have a Solaris running Apache and
> tomcat, but the config file just do not seem to work at all.
>
> Anyway, my tomcat.conf has the statements:
>
> ApJservMount /examples/servlet /root
> <Location /examples/WEB-INF/ >
> AuthType Basic
> <...AuthInfo...>
> require valid-user
> </Location>
>
> My server.xml has the lines:
> <Context path="/examples" docBase="/opt/<somedirectory>"
> ...>
>
> So by putting the AuthType there, it should be authenticating rite?? But I
> dun get any authentication done...
>
> Ciao
> ST Lim
>
> >On Tue, 8 Feb 2000, Bail . Jeff wrote:
> >
> >> I have a JSP application which I'd like to password protect with Apache.
> >> Once I setup my application using "method 2" from the Apache Tomcat HOWTO, I
> >> was able to use Apache's security to protect my pages. The only problem is
> >> that Tomcat will still serve up the pages without any security on port 8080.
> >> The simplest solution would be to block external access to that port, but I
> >> was wondering if there was a better way. I realize it probably wouldn't be
> >> that hard to build the login into my JSP page, but I need reliable, tested &
> >> true security right away. Thanks for any ideas.
> >>
> >> Jeff Bail...
> >>
> >> ---------------------------------------------------------------------
> >> To unsubscribe, e-mail: general-unsubscribe@jakarta.apache.org
> >> For additional commands, e-mail: general-help@jakarta.apache.org
> >>
> >>
> >
> >
> >---------------------------------------------------------------------
> >To unsubscribe, e-mail: general-unsubscribe@jakarta.apache.org
> >For additional commands, e-mail: general-help@jakarta.apache.org
> >
> >
> >
>
> --
> Lim Swee Tat
> Software Engineer
> NCS Corporate IS Dept
> DID: (65) 774 9177
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: general-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: general-help@jakarta.apache.org
--
______________________________________________________
Paul Risenhoover
www.X-Radio.com www.Riddim.com
AIM: badpauly ICQ: 53504928
Re: Apache+Tomcat Security
Posted by Lim Swee Tat <li...@ncs.com.sg>.
Hi,
I'll like to know how you did that... I have a Solaris running Apache and
tomcat, but the config file just do not seem to work at all.
Anyway, my tomcat.conf has the statements:
ApJservMount /examples/servlet /root
<Location /examples/WEB-INF/ >
AuthType Basic
<...AuthInfo...>
require valid-user
</Location>
My server.xml has the lines:
<Context path="/examples" docBase="/opt/<somedirectory>"
...>
So by putting the AuthType there, it should be authenticating rite?? But I
dun get any authentication done...
Ciao
ST Lim
>On Tue, 8 Feb 2000, Bail . Jeff wrote:
>
>> I have a JSP application which I'd like to password protect with Apache.
>> Once I setup my application using "method 2" from the Apache Tomcat HOWTO, I
>> was able to use Apache's security to protect my pages. The only problem is
>> that Tomcat will still serve up the pages without any security on port 8080.
>> The simplest solution would be to block external access to that port, but I
>> was wondering if there was a better way. I realize it probably wouldn't be
>> that hard to build the login into my JSP page, but I need reliable, tested &
>> true security right away. Thanks for any ideas.
>>
>> Jeff Bail...
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: general-unsubscribe@jakarta.apache.org
>> For additional commands, e-mail: general-help@jakarta.apache.org
>>
>>
>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: general-unsubscribe@jakarta.apache.org
>For additional commands, e-mail: general-help@jakarta.apache.org
>
>
>
--
Lim Swee Tat
Software Engineer
NCS Corporate IS Dept
DID: (65) 774 9177
Re: Apache+Tomcat Security
Posted by David Gauthier <dg...@clti.com>.
You should be able to edit the server.xml file and remove the lines that
set up the Connector with classname "HttpAdapter".
In the default file they look like this:
<Connector className="org.apache.tomcat.service.http.HttpAdapter">
</Connector>
Tomcat won't start up the Http listener, but will still have the AJP port
open for apache to talk to.
-dave
On Tue, 8 Feb 2000, Bail . Jeff wrote:
> I have a JSP application which I'd like to password protect with Apache.
> Once I setup my application using "method 2" from the Apache Tomcat HOWTO, I
> was able to use Apache's security to protect my pages. The only problem is
> that Tomcat will still serve up the pages without any security on port 8080.
> The simplest solution would be to block external access to that port, but I
> was wondering if there was a better way. I realize it probably wouldn't be
> that hard to build the login into my JSP page, but I need reliable, tested &
> true security right away. Thanks for any ideas.
>
> Jeff Bail...
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: general-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: general-help@jakarta.apache.org
>
>
Re: Pre-compiled JSP files using Tomcat?
Posted by Danno Ferrin <sh...@earthlink.net>.
note to self: drinking and typing is a no-no
Danno Ferrin wrote:
>
> try using the jspc stuff I just checked in. It will show up in the M@
> releases next week or in the current lightly build. In theory you use
> jspc and then javac to compile the jsp pages to servlets and map the
> servlets into whatever servlet engine you want. however I have not done
> much work on that deployment scenario yet. to be sure it works.
>
> --Danno
>
> Dave Meagher wrote:
> >
> > Hello all,
> >
> > Is it possible to configure tomcat
> > to run using a JRE and pre-compiled JSP files
> > without the existence of javac? Since most
> > JDKs are not re-distributable, before shipping
> > our JSP application we want to compile each
> > of the JSP files and then ship the generated
> > classes along with a JRE. This also improves
> > "first experience" performance since JSP files
> > are not generated into Java files and then compiled.
> >
> > Currently we're shipping our product
> > with ServletExec from NewAtlanta which allows
> > us to do exactly this.
> >
> > Thanks in advance!
> >
> > Dave Meagher
> > Inovie Software
> > http://www.inovie.com
> >
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: general-unsubscribe@jakarta.apache.org
> > For additional commands, e-mail: general-help@jakarta.apache.org
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: general-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: general-help@jakarta.apache.org
Re: jspc?
Posted by Danno Ferrin <sh...@earthlink.net>.
It's not in the M1 release, that's why. Use the M2 or beta release. @
is shift 2 and was a typing boo-boo.
--Danno
Dave Meagher wrote:
>
> > try using the jspc stuff I just checked in. It will show up in the M@
> > releases next week or in the current lightly build.
>
> I can't seem to find the jspc in the M1 release.
> Can you point me in the right direction?
>
> Dave
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: general-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: general-help@jakarta.apache.org
jspc?
Posted by Dave Meagher <da...@inovie.com>.
> try using the jspc stuff I just checked in. It will show up in the M@
> releases next week or in the current lightly build.
I can't seem to find the jspc in the M1 release.
Can you point me in the right direction?
Dave
Re: Pre-compiled JSP files using Tomcat?
Posted by Danno Ferrin <sh...@earthlink.net>.
try using the jspc stuff I just checked in. It will show up in the M@
releases next week or in the current lightly build. In theory you use
jspc and then javac to compile the jsp pages to servlets and map the
servlets into whatever servlet engine you want. however I have not done
much work on that deployment scenario yet. to be sure it works.
--Danno
Dave Meagher wrote:
>
> Hello all,
>
> Is it possible to configure tomcat
> to run using a JRE and pre-compiled JSP files
> without the existence of javac? Since most
> JDKs are not re-distributable, before shipping
> our JSP application we want to compile each
> of the JSP files and then ship the generated
> classes along with a JRE. This also improves
> "first experience" performance since JSP files
> are not generated into Java files and then compiled.
>
> Currently we're shipping our product
> with ServletExec from NewAtlanta which allows
> us to do exactly this.
>
> Thanks in advance!
>
> Dave Meagher
> Inovie Software
> http://www.inovie.com
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: general-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: general-help@jakarta.apache.org
Pre-compiled JSP files using Tomcat?
Posted by Dave Meagher <da...@inovie.com>.
Hello all,
Is it possible to configure tomcat
to run using a JRE and pre-compiled JSP files
without the existence of javac? Since most
JDKs are not re-distributable, before shipping
our JSP application we want to compile each
of the JSP files and then ship the generated
classes along with a JRE. This also improves
"first experience" performance since JSP files
are not generated into Java files and then compiled.
Currently we're shipping our product
with ServletExec from NewAtlanta which allows
us to do exactly this.
Thanks in advance!
Dave Meagher
Inovie Software
http://www.inovie.com