You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@tomcat.apache.org by anil <an...@server.awcoldstream.on.ca> on 2001/07/01 00:19:20 UTC

Tomcat Security? How to get around this?

Hi All,

My web.xml looks like this.

    <servlet>
        <servlet-name>
           Client
        </servlet-name>
        <servlet-class>
            ca.ksb.client.Client
        </servlet-class>
    </servlet>
    ....
         <servlet-mapping>
         <servlet-name>Client</servlet-name>
         <url-pattern>/protected/Client</url-pattern>
        </servlet-mapping>

     <security-constraint>
       .......
          <url-pattern>/protected/*</url-pattern>
        .........
    </security-constraint>


    if I use http://www.my.com/protected/Client , tomcat prompts for
login window.
    but  I  access http://www.my.com/servlet/Client , tomcat does not
prompt login window.

    I do have some servlets that does not need any security. So I cannot
set /sevlet/* as protected area. One solution that I see is to move all
the protected servlet to the folder called /protected/ and setup web.xml
like below.

        <servlet>
            <servlet-name>
                  Client
            </servlet-name>
        <servlet-class>
            /protected/ca.ksb.client.Client
        </servlet-class>
        <servlet-mapping>
                 <servlet-name>Client</servlet-name>
                <url-pattern>Client</url-pattern>
        </servlet-mapping>

     <security-constraint>
       .......
          <url-pattern>/protected/*</url-pattern>
        .........
    </security-constraint>

is there any other way? what happens if I comment out  this line in
server.xml.
<RequestInterceptor
className="org.apache.tomcat.request.InvokerInterceptor"   debug="0"
prefix="/servlet/" />

   Thanks

.anil