You are viewing a plain text version of this content. The canonical link for it is here.

Posted to slide-user@jakarta.apache.org by Kevin Moran <gr...@yahoo.com> on 2003/05/24 17:49:56 UTC

Securing Web Content

Hi,
    I have basic authentication working in Slide.  Now
I'd like to loosen access control on the Slide servlet
so that

1) anyone with a web browser can browse Slide without
being prompted for username/password

2) anyone who wants to modify Slide (for example, via
the WebDAV command-line utility) will be prompted for
username/password

I have roles set up in Slide and I understand how they
work.  My sense is web.xml is more at issue here.  If
anyone can offer any advice (even if it's just RTFM),
that would be appreciated.

Thanks,
-kevin


__________________________________
Do you Yahoo!?
The New Yahoo! Search - Faster. Easier. Bingo.
http://search.yahoo.com

---------------------------------------------------------------------
To unsubscribe, e-mail: slide-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: slide-user-help@jakarta.apache.org

Re: AW: Securing Web Content

Posted by Kevin Moran <gr...@yahoo.com>.

Hi Andreas and Michael,
    Thank you for your helpful suggestions.  I think
both answers figure into the solution.  Michael, your
solution is cleaner than the clumsy approach I took,
which was to add a servlet mapping to web.xml for
secure content (i.e., URIs like /slide/files wouldn't
prompt the user; URIs like /slide/secure/files would).
 So I'll go with your approach.  It works well.

Thanks again!
-kevin


__________________________________
Do you Yahoo!?
The New Yahoo! Search - Faster. Easier. Bingo.
http://search.yahoo.com

---------------------------------------------------------------------
To unsubscribe, e-mail: slide-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: slide-user-help@jakarta.apache.org

AW: Securing Web Content

Posted by Michael Plomer <m_...@gmx.net>.

Hi Kevin,

I had the same problem. Simply giving read access to guest doesn't
get the job done, since still Catalina requires everyone accessing
the context to authenticate themselves.
I solved the problem by modifying the security-constraints section
in the web.xml (in slide/slide-webdav.war) like this:

  <security-constraint>
    <web-resource-collection>
      <web-resource-name>DAV resource</web-resource-name>
      <url-pattern>/*</url-pattern>
      <http-method>COPY</http-method>
      <http-method>DELETE</http-method>
<!-- this is key: comment out the GET method -->
<!--      <http-method>GET</http-method> -->
      <http-method>HEAD</http-method>
      <http-method>LOCK</http-method>
      <http-method>MKCOL</http-method>
      <http-method>MOVE</http-method>
      <http-method>OPTIONS</http-method>
      <http-method>POST</http-method>
      <http-method>PROPFIND</http-method>
      <http-method>PROPPATCH</http-method>
      <http-method>PUT</http-method>
      <http-method>UNLOCK</http-method>
    </web-resource-collection>
	....
  </security-constraint>

Depending on your actual content you might want to comment out
the POST section as well (that is, if people browsing your site
should be able to submit forms via POST).

Of course, you still need to set the slide permissions to give
read access to guest.

Also, keep in mind that while this solution works I can't say
if that's how it's supposed to be done...

Regards,
Michael

-------/ Michael Plomer    /--/ stud. Hilfskraft CONCERT  /----
------/ Fraunhofer IPSI   /--/ Kooperationskomponenten   /-----
-----/ Darmstadt/Germany /--/ eMail: plomer@ipsi.fhg.de /------
----/ 0173 / 5 33 66 23 /--/         m_plomer@gmx.net  /-------

>>-----Ursprüngliche Nachricht-----
>>Von: Andreas Probst [mailto:andpro77@gmx.net] 
>>Gesendet: Sonntag, 25. Mai 2003 00:33
>>An: Slide Users Mailing List
>>Betreff: Re: Securing Web Content
>>
>>
>>Hi Kevin,
>>
>>try giving read access to /users/guest, but write access only to 
>>authenticated users, e.g. role users.
>>
>>Regards.
>>
>>Andreas
>>
>>On 24 May 2003 at 8:49, Kevin Moran wrote:
>>
>>> Hi,
>>>     I have basic authentication working in Slide.  Now
>>> I'd like to loosen access control on the Slide servlet
>>> so that
>>> 
>>> 1) anyone with a web browser can browse Slide without
>>> being prompted for username/password
>>> 
>>> 2) anyone who wants to modify Slide (for example, via
>>> the WebDAV command-line utility) will be prompted for
>>> username/password
>>> 
>>> I have roles set up in Slide and I understand how they
>>> work.  My sense is web.xml is more at issue here.  If
>>> anyone can offer any advice (even if it's just RTFM),
>>> that would be appreciated.
>>> 
>>> Thanks,
>>> -kevin
>>> 
>>> 
>>> __________________________________
>>> Do you Yahoo!?
>>> The New Yahoo! Search - Faster. Easier. Bingo.
>>> http://search.yahoo.com
>>> 
>>> 
>>---------------------------------------------------------------------
>>> To unsubscribe, e-mail: slide-user-unsubscribe@jakarta.apache.org
>>> For additional commands, e-mail: slide-user-help@jakarta.apache.org
>>> 
>>
>>
>>
>>---------------------------------------------------------------------
>>To unsubscribe, e-mail: slide-user-unsubscribe@jakarta.apache.org
>>For additional commands, e-mail: slide-user-help@jakarta.apache.org
>>
>>


---------------------------------------------------------------------
To unsubscribe, e-mail: slide-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: slide-user-help@jakarta.apache.org

Re: Securing Web Content

Posted by Andreas Probst <an...@gmx.net>.

Hi Kevin,

try giving read access to /users/guest, but write access only to 
authenticated users, e.g. role users.

Regards.

Andreas

On 24 May 2003 at 8:49, Kevin Moran wrote:

> Hi,
>     I have basic authentication working in Slide.  Now
> I'd like to loosen access control on the Slide servlet
> so that
> 
> 1) anyone with a web browser can browse Slide without
> being prompted for username/password
> 
> 2) anyone who wants to modify Slide (for example, via
> the WebDAV command-line utility) will be prompted for
> username/password
> 
> I have roles set up in Slide and I understand how they
> work.  My sense is web.xml is more at issue here.  If
> anyone can offer any advice (even if it's just RTFM),
> that would be appreciated.
> 
> Thanks,
> -kevin
> 
> 
> __________________________________
> Do you Yahoo!?
> The New Yahoo! Search - Faster. Easier. Bingo.
> http://search.yahoo.com
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: slide-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: slide-user-help@jakarta.apache.org
> 



---------------------------------------------------------------------
To unsubscribe, e-mail: slide-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: slide-user-help@jakarta.apache.org