You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Piavlo <lo...@gmail.com> on 2009/11/05 13:48:01 UTC
howto setup url security constraint with parameters?
Hi,
I have tomcat setup with user directories =
org.apache.catalina.startup.UserConfig
now I want to give each user to reload only his webapp from the manager
webapp.
If i change the manager web.xml like this
------------------------------
<security-constraint>
<web-resource-collection>
<web-resource-name>Allow Blah01 User Reload his
Webapp</web-resource-name>
<url-pattern>/reload</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>blah01</role-name>
</auth-constraint>
</security-constraint>
<security-role>
<description>
Zopa Userdir Role
</description>
<role-name>blah01</role-name>
</security-role>
---------------------------
then the user can reload his webapp with:
http://localhost:8080/manager/reload?path=/~blah01
but he can also reload other users webapps - and i want to prevent this
I tried to put something like this
---------------------------
<security-constraint>
<web-resource-collection>
<web-resource-name>Allow Blah01 User Reload his
Webapp</web-resource-name>
<url-pattern>/reload
<param-name>path</param-name>
<param-value>/~blah01</param-value>
</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>blah01</role-name>
</auth-constraint>
</security-constraint>
---------------------------
but this is obviously illegal.
Any ideas how this can be done?
Thanks
Alex
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: howto setup url security constraint with parameters?
Posted by Pid <pi...@pidster.com>.
On 06/11/2009 00:29, Pivo wrote:
> Caldarale, Charles R wrote:
>>> From: Piavlo [mailto:lolitushka@gmail.com]
>>> Subject: Re: howto setup url security constraint with parameters?
>>>
>>> The problem is that<WatchedResource> does not work for user dirs
>>> defined with org.apache.catalina.startup.UserConfig
>>>
>>
>> Sounds like a bug, but I haven't looked at the code. What version of Tomcat are you using?
>>
> Currently 6.0.20 , but this also does not work with 5.5 versions.
> But putting aside the buggy WatchedResource issue - is there a way to
> do a security constraint of a url on granularity of also matching
> specific HTTP GET parameters/values pairs in that url?
Short answer: no, not using container based security.
That would be a task for the Servlet itself to perform as part of it's
logic. You can use 'request.isUserInRole("somerole")'.
p
> Thanks
> Alex
>
>> - Chuck
>>
>>
>> THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: howto setup url security constraint with parameters?
Posted by André Warnier <aw...@ice-sa.com>.
Pivo wrote:
> Caldarale, Charles R wrote:
>>> From: Piavlo [mailto:lolitushka@gmail.com]
>>> Subject: Re: howto setup url security constraint with parameters?
>>>
>>> The problem is that <WatchedResource> does not work for user dirs
>>> defined with org.apache.catalina.startup.UserConfig
>>>
>> Sounds like a bug, but I haven't looked at the code. What version of Tomcat are you using?
>>
> Currently 6.0.20 , but this also does not work with 5.5 versions.
> But putting aside the buggy WatchedResource issue - is there a way to
> do a security constraint of a url on granularity of also matching
> specific HTTP GET parameters/values pairs in that url?
>
Just jumping in with some lateral thinking, and without the background.
The idea would be to catch these requests earlier, and dispatch them, on
the base of the GET parameters, to different webapps, each with it's
appropriate security constraints.
I think a servlet filter (such as the URLRewriteFilter) would be too
late already.
But a front-end Apache httpd would not.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: howto setup url security constraint with parameters?
Posted by Pivo <lo...@gmail.com>.
Caldarale, Charles R wrote:
>> From: Piavlo [mailto:lolitushka@gmail.com]
>> Subject: Re: howto setup url security constraint with parameters?
>>
>> The problem is that <WatchedResource> does not work for user dirs
>> defined with org.apache.catalina.startup.UserConfig
>>
>
> Sounds like a bug, but I haven't looked at the code. What version of Tomcat are you using?
>
Currently 6.0.20 , but this also does not work with 5.5 versions.
But putting aside the buggy WatchedResource issue - is there a way to
do a security constraint of a url on granularity of also matching
specific HTTP GET parameters/values pairs in that url?
Thanks
Alex
> - Chuck
>
>
> THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: howto setup url security constraint with parameters?
Posted by "Caldarale, Charles R" <Ch...@unisys.com>.
> From: Piavlo [mailto:lolitushka@gmail.com]
> Subject: Re: howto setup url security constraint with parameters?
>
> The problem is that <WatchedResource> does not work for user dirs
> defined with org.apache.catalina.startup.UserConfig
Sounds like a bug, but I haven't looked at the code. What version of Tomcat are you using?
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: howto setup url security constraint with parameters?
Posted by Piavlo <lo...@gmail.com>.
Caldarale, Charles R wrote:
>> From: Piavlo [mailto:lolitushka@gmail.com]
>> Subject: howto setup url security constraint with parameters?
>>
>> now I want to give each user to reload only his webapp from
>> the manager webapp.
>>
>
>
The problem is that <WatchedResource> does not work for user dirs
defined with org.apache.catalina.startup.UserConfig
While I did setup all webapps to be reloadable by using the default
server contect inherited by other webapps, i.e:
<Context reloadable="true">
<WatchedResource>WEB-INF/web.xml</WatchedResource>
</Context>
This only trigers reload then files change under WEB-INF/{lib/classes}/*
but not nested subdirs,
for example modifying WEB-INF/classes/Some.class triggers reload but
WEB-INF/classes/somedir/another.class does not always work.
Also the WEB-INF/web.xml is not watched anyway, it's modification never
triggers webapp reload, - while it is correctly watched for regular (non
userdirs) webapps.
Thanks
Alex
> I don't think you need to. By touching or otherwise updating any file listed in a <WatchedResource> element for the webapp, Tomcat will automatically restart the webapp, assuming you have not disabled automatic deployment. As long as the user has access to the <WatchedResource> for his or her webapp, they should be able to trigger redeployment whenever they want. The default <WatchedResource> is the WEB-INF/web.xml file for each webapp.
>
> - Chuck
>
>
> THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: howto setup url security constraint with parameters?
Posted by "Caldarale, Charles R" <Ch...@unisys.com>.
> From: Piavlo [mailto:lolitushka@gmail.com]
> Subject: howto setup url security constraint with parameters?
>
> now I want to give each user to reload only his webapp from
> the manager webapp.
I don't think you need to. By touching or otherwise updating any file listed in a <WatchedResource> element for the webapp, Tomcat will automatically restart the webapp, assuming you have not disabled automatic deployment. As long as the user has access to the <WatchedResource> for his or her webapp, they should be able to trigger redeployment whenever they want. The default <WatchedResource> is the WEB-INF/web.xml file for each webapp.
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org