You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by "Ikonne, Ike" <Ik...@stercomm.com> on 2005/04/13 17:11:50 UTC
How do I restrict access to webapps applications from browser users?
Hi all,
I am trying to restrict access to directories under webapps/myapp and I have the following in my
WEB-INF/web.xml, but users still can browse through all the directories under webapps/myapp
What am I doing wrong? I have the same thing for Jetty webserver and it works. I am running
tomcat 4.1
<security-constraint>
<web-resource-collection>
<web-resource-name>general</web-resource-name>
<url-pattern>/html/*</url-pattern>
<url-pattern>/jsp/*</url-pattern>
<url-pattern>/help/*</url-pattern>
<url-pattern>/images/*</url-pattern>
<http-method>GET</http-method>
<http-method>HEAD</http-method>
</web-resource-collection>
<web-resource-collection>
<web-resource-name>specific</web-resource-name>
<url-pattern>/AdminMain/*</url-pattern>
<http-method>GET</http-method>
<http-method>HEAD</http-method>
<http-method>POST</http-method>
<http-method>PUT</http-method>
</web-resource-collection>
</security-constraint>
Thanks,
Ike
RE: How do I restrict access to webapps applications from browser users?
Posted by Fritz Schneider <Fr...@Peacham.HomeIP.net>.
Ike.
You need to complete your <security-constraint> with authorization, login,
and role information. Here is what works for me:
<!-- Define a Security Constraint on this Application -->
<security-constraint>
<web-resource-collection>
<web-resource-name>Restricted Files</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<!-- NOTE: This role is not present in the default users file -->
<role-name>app1</role-name>
</auth-constraint>
</security-constraint>
<!-- Define the Login Configuration for this Application -->
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>My Application</realm-name>
</login-config>
<!-- Security roles referenced by this web application -->
<security-role>
<description>
The role that is required to log in to the application
</description>
<role-name>app1</role-name>
</security-role>
You might also want to check out the single login valve.
Fritz
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org