You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Randy Oun <ra...@ounism.com> on 2018/06/08 16:26:41 UTC
SPENGO config in Tomcat's web.xml
Hello Tomcat user group.
I am setting update Tomcat 8.5.23 with Kerberos/SPNEGO. Since the Tomcat
server will be only hosting one web application and we only want SPNEGO
only on certain environments we were trying to add security contraints to
Tomcat's web.xml instead of the application's web.xml.
Unfortunately it doesn't seem like it is taking effect. The only change is
is adding the app's URI context to the url-pattern in Tomcat's web.xml.
Is something misconfigured? If not, what can I do to get this to work?
In TOMCAT_HOME/conf/web.xml...
---------------------------------------------
<security-constraint>
<web-resource-collection>
<web-resource-name>NoSSO</web-resource-name>
<description>URIs that should not trigger
SPNEGO</description>
<url-pattern>/app/ping</url-pattern>
<url-pattern>/app/ws/*</url-pattern>
<url-pattern>/app/service/*</url-pattern>
</web-resource-collection>
<!-- No auth-constraint means paths are accessible -->
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>SSO</web-resource-name>
<description>Default context path that will trigger
Kerberos-SPNEGO SSO</description>
<url-pattern>/app/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>**</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>SPNEGO</auth-method>
<realm-name>SPNEGO Realm</realm-name>
</login-config>
In app web.xml...
-----------------------
<!-- SF Note: Added for SSO enablement -->
<security-constraint>
<web-resource-collection>
<web-resource-name>NoSSO</web-resource-name>
<description>URIs that should not trigger
SPNEGO</description>
<url-pattern>/ping</url-pattern>
<url-pattern>/ws/*</url-pattern>
<url-pattern>/service/*</url-pattern>
</web-resource-collection>
<!-- No auth-constraint means paths are accessible -->
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>SSO</web-resource-name>
<description>Default context path that will trigger
Kerberos-SPNEGO SSO</description>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>**</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>SPNEGO</auth-method>
<realm-name>SPNEGO Realm</realm-name>
</login-config>
Thanks!
Randy
Re: SPENGO config in Tomcat's web.xml
Posted by Mark Thomas <ma...@apache.org>.
On 08/06/18 17:26, Randy Oun wrote:
> Hello Tomcat user group.
>
> I am setting update Tomcat 8.5.23 with Kerberos/SPNEGO. Since the Tomcat
> server will be only hosting one web application and we only want SPNEGO
> only on certain environments we were trying to add security contraints to
> Tomcat's web.xml instead of the application's web.xml.
>
> Unfortunately it doesn't seem like it is taking effect. The only change is
> is adding the app's URI context to the url-pattern in Tomcat's web.xml.
>
> Is something misconfigured?
Yes.
The global web.xml is merged into the application web.xml for every web
application.
You want to use exactly the same URLs (no leading "/app") in the global
web.xml as you do in the application web.xml.
As an aside, configuring application specific settings in the global
web.xml is not recommended. If you ever need to deploy a second web
application you are going to have difficulties.
Mark
> If not, what can I do to get this to work?
>
> In TOMCAT_HOME/conf/web.xml...
> ---------------------------------------------
>
> <security-constraint>
> <web-resource-collection>
> <web-resource-name>NoSSO</web-resource-name>
> <description>URIs that should not trigger
> SPNEGO</description>
> <url-pattern>/app/ping</url-pattern>
> <url-pattern>/app/ws/*</url-pattern>
> <url-pattern>/app/service/*</url-pattern>
> </web-resource-collection>
> <!-- No auth-constraint means paths are accessible -->
> </security-constraint>
> <security-constraint>
> <web-resource-collection>
> <web-resource-name>SSO</web-resource-name>
> <description>Default context path that will trigger
> Kerberos-SPNEGO SSO</description>
> <url-pattern>/app/*</url-pattern>
> </web-resource-collection>
> <auth-constraint>
> <role-name>**</role-name>
> </auth-constraint>
> </security-constraint>
> <login-config>
> <auth-method>SPNEGO</auth-method>
> <realm-name>SPNEGO Realm</realm-name>
> </login-config>
>
> In app web.xml...
> -----------------------
> <!-- SF Note: Added for SSO enablement -->
> <security-constraint>
> <web-resource-collection>
> <web-resource-name>NoSSO</web-resource-name>
> <description>URIs that should not trigger
> SPNEGO</description>
> <url-pattern>/ping</url-pattern>
> <url-pattern>/ws/*</url-pattern>
> <url-pattern>/service/*</url-pattern>
> </web-resource-collection>
> <!-- No auth-constraint means paths are accessible -->
> </security-constraint>
> <security-constraint>
> <web-resource-collection>
> <web-resource-name>SSO</web-resource-name>
> <description>Default context path that will trigger
> Kerberos-SPNEGO SSO</description>
> <url-pattern>/*</url-pattern>
> </web-resource-collection>
> <auth-constraint>
> <role-name>**</role-name>
> </auth-constraint>
> </security-constraint>
> <login-config>
> <auth-method>SPNEGO</auth-method>
> <realm-name>SPNEGO Realm</realm-name>
> </login-config>
>
> Thanks!
>
> Randy
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org