You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by bu...@apache.org on 2006/01/11 07:50:07 UTC
DO NOT REPLY [Bug 38221] New: - Tomcat always returns HTTP 403/Forbidden for HTTP PUT, etc
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=38221>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=38221
Summary: Tomcat always returns HTTP 403/Forbidden for HTTP PUT,
etc
Product: Tomcat 5
Version: 5.0.28
Platform: All
OS/Version: other
Status: NEW
Severity: normal
Priority: P2
Component: Connector:HTTP
AssignedTo: tomcat-dev@jakarta.apache.org
ReportedBy: ken@kensystem.com
I have tried several config variations, but cannot get any non-POST/GET method
to succeed. I am correctly overriding each method (doPut(HttpServerRequest,
HttpServletResponse), etc), in this case using a JSP (JspServlet extends
Servlet). The PUT request is well formed, and I am also passing the same
JSESSIONID cookie that allows access via GET.
This symptom occurs with a default server config, as well as adding the below
config sample to the webapp's web.xml.
<security-constraint>
<display-name>Example Security Constraint</display-name>
<web-resource-collection>
<web-resource-name>Protected Area</web-resource-name>
<!-- Define the context-relative URL(s) to be protected -->
<url-pattern>/*</url-pattern>
<!-- If you list http methods, only those methods are protected -->
<http-method>HEAD</http-method>
<http-method>GET</http-method>
<http-method>POST</http-method>
<http-method>PUT</http-method>
<http-method>DELETE</http-method>
<http-method>TRACE</http-method>
<http-method>OPTIONS</http-method>
<http-method>HEAD</http-method>
</web-resource-collection>
<auth-constraint>
<!-- Anyone with one of the listed roles may access this area -->
<role-name>tomcat</role-name>
<role-name>role1</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/login.jsp</form-login-page>
<form-error-page>/login.jsp?fail=true</form-error-page>
</form-login-config>
</login-config>
<!-- Security roles referenced by this web application -->
<security-role>
<role-name>role1</role-name>
</security-role>
<security-role>
<role-name>tomcat</role-name>
</security-role>
My assumption is that there is a web/server.xml or System.setProperty
Security.setProperty setting that needs to be enabled, although I was not able
to locate this in the documentation.
PS - the above "<!-- If you list http methods, only those methods are protected
-->" should be changed to "<!-- If you list http methods, only those methods are
permitted -->"?? I'm not sure I undestand the current statement as it relates to
mutual exlcusion of unlisted methods, as worded...
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
DO NOT REPLY [Bug 38221] - Tomcat always returns HTTP 403/Forbidden for HTTP PUT, etc
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=38221>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=38221
ken@kensystem.com changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution| |INVALID
------- Additional Comments From ken@kensystem.com 2006-01-18 20:24 -------
org.apache.catalina.servlets.DefaultServlet must have init-param readonly = false.
ALSO NOTE that this Servlet and its configs DO affected dynamic content as as
well as static, contrary to the javadocs...
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org