You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by K A <k_...@hotmail.com> on 2010/08/18 11:44:18 UTC
Configure read/write-access in TomCat
Hello
I've developed a web-application in which I'd like to have some control of which resources are accessed by whom. My project is called "Server" in which I've got 3 directories: "/user" which all roles are allowed to access, "/admin" which ONLY administrators are allowed to access and "resources" in which I've got some files which users are allowed to read and administrators are allowed to both read and write.
I'm using a FORM to login. The form action is "POST" and the action is "j_security_check", the username field's name is "j_username" and the password field's is "j_password".
I've implemented a security-check in the jsp-file itself where I'm checking for the type of login the current user has. If the type is aproved then the user is allowed to access the page.
But when I test the application and try to access the files in the other library then I've got access no matter what. This wasn't the intension.
I've tried to follow several tutorials online but no matter what I can't get it to work ouf the right way.
I've tried to configure the web.xml manually but it doesn't work. I've tried to use the "manager" through the browser but that doesn't seem to deliver the possibility to setup those restriction.
Can somebody please give me a detailed walkthrough on how to achieve this?
I'm using TomCat 6.0, JVM 1.5.0_20 SUN and Windows XP 5.1.Thankyou very much in advance!
Best regards,
Kenneth Andersen
k_k_andersen@hotmail.com
Re: Configure read/write-access in TomCat
Posted by Hassan Schroeder <ha...@gmail.com>.
On Wed, Aug 18, 2010 at 8:06 PM, Christopher Schultz
<ch...@christopherschultz.net> wrote:
> I couldn't see if anyone actually answered your question, here, or just
> argued about how well-documented conf/web.xml was.
Wait, what, those aren't the same? :-)
--
Hassan Schroeder ------------------------ hassan.schroeder@gmail.com
twitter: @hassan
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Configure read/write-access in TomCat
Posted by Kenneth <k_...@hotmail.com>.
My project-name is "Server" - but I guess that your answer still is
correct. Thanks!
Den 19-08-2010 05:06, Christopher Schultz skrev:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Mr. Andersen,
>
> On 8/18/2010 7:16 AM, K A wrote:
>
>> <security-constraint>
>> <web-resource-collection>
>> <web-resource-name>user open part</web-resource-name>
>> <url-pattern>/Server/user/*</url-pattern>
>> </web-resource-collection>
>>
>> <auth-constraint>
>> <role-name>user</role-name>
>> <role-name>admin</role-name>
>> </auth-constraint>
>> </security-constraint>
>>
> Your URL pattern is wrong: the URL should be relative to the context,
> not to the server. Presumably, your webapp's name is "Server", and the
> context path is "/Server". That means that your URL pattern ought to be:
>
> <url-pattern>/user/*</url-pattern>
>
> I couldn't see if anyone actually answered your question, here, or just
> argued about how well-documented conf/web.xml was. Hope that helps.
>
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.10 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAkxsn7YACgkQ9CaO5/Lv0PD8wQCgqhQO4lZakkFERdZuoOEWOHih
> TXwAn1wbwPsnpxnV8a92qjjAtR0tWSJt
> =P2ht
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Configure read/write-access in TomCat
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Mr. Andersen,
On 8/18/2010 7:16 AM, K A wrote:
> <security-constraint>
> <web-resource-collection>
> <web-resource-name>user open part</web-resource-name>
> <url-pattern>/Server/user/*</url-pattern>
> </web-resource-collection>
>
> <auth-constraint>
> <role-name>user</role-name>
> <role-name>admin</role-name>
> </auth-constraint>
> </security-constraint>
Your URL pattern is wrong: the URL should be relative to the context,
not to the server. Presumably, your webapp's name is "Server", and the
context path is "/Server". That means that your URL pattern ought to be:
<url-pattern>/user/*</url-pattern>
I couldn't see if anyone actually answered your question, here, or just
argued about how well-documented conf/web.xml was. Hope that helps.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAkxsn7YACgkQ9CaO5/Lv0PD8wQCgqhQO4lZakkFERdZuoOEWOHih
TXwAn1wbwPsnpxnV8a92qjjAtR0tWSJt
=P2ht
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Configure read/write-access in Tomcat
Posted by Pid <pi...@pidster.com>.
On 18/08/2010 14:06, K A wrote:
>
> Ah, so the web.xaml in /tomcat/conf has nothing to do with the issue - it's only the web.xml in the project itself?
Authentication should be configured on an app-by-app basis, not in the
default web.xml, so yes, that's correct.
> I just read that tomcat do not allow write-access to directories.
Why would it? Special configuration/functionality is, as André
explained, required to enable such a function on most web servers,
Tomcat is no exception.
> So I guess my main issue in my question is of no concern then as the users don't have any rights to access the files in the actual directory unless the files are access through a servlet of jsp-page in this case?
Depending on whether your understanding of 'Access' is the same one as
the rest of us are using.
Web servers publish files to everyone (unless you restrict access), but
don't allow those files to be edited (unless you enable it).
If you want your user & admin roles to restrict the read access, employ
the correct configuration as below.
p
>> On 18/08/2010 12:16, K A wrote:
>>>
>>> In /tomcat/Webapps/Projectname/web-inf:
>>
>> Capitals matter. WEB-INF is the correct directory name.
>>
>>> I have inserted this part:
>>> ....
>>> - <!--inserted from her -->
>>> - <security-constraint>
>>> - <web-resource-collection>
>>> <web-resource-name>user open part</web-resource-name>
>>> <url-pattern>/Server/user/*</url-pattern>
>>> </web-resource-collection>
>>> - <auth-constraint>
>>> <role-name>user</role-name>
>>> <role-name>admin</role-name>
>>> </auth-constraint>
>>> </security-constraint>
>>> - <security-constraint>
>>> - <web-resource-collection>
>>> <web-resource-name>admin closed part</web-resource-name>
>>> <url-pattern>/Server/admin/*</url-pattern>
>>> </web-resource-collection>
>>> - <auth-constraint>
>>> <role-name>admin</role-name>
>>> </auth-constraint>
>>> </security-constraint>
>>> - <login-config>
>>>
>>>
>>> <auth-method>FORM</auth-method>
>>>
>>> - <form-login-config>
>>> <form-login-page>/Server/index.jsp</form-login-page>
>>> <form-error-page>/Server/index.jsp</form-error-page>
>>
>> Paths are relative, I'd also recommend putting two separate files in an
>> location that can't be directly requested. e.g.
>>
>> /WEB-INF/login/form.jsp
>> /WEB-INF/login/error.jsp
>>
>>> </form-login-config>
>>> </login-config>
>>>
>>> - <security-role>
>>> <role-name>admin</role-name>
>>> <role-name>user</role-name>
>>> </security-role>
>>> - <!--inserted to here -->
>>>
>>> - <servlet>
>>> ...
>>>
>>>
>>> In /tomcat/Conf/web.xml:
>>
>> Don't do that. Also, it should be 'conf'.
>>
>>
>> p
>>
>>> I have inserted this part:
>>> .................
>>>
>>>
>>> <!--inserted from here-->
>>>
>>> <security-constraint>
>>>
>>> <web-resource-collection>
>>>
>>> <web-resource-name>user
>>> open part</web-resource-name>
>>>
>>> <url-pattern>/Server/user/*</url-pattern>
>>>
>>> </web-resource-collection>
>>>
>>> <auth-constraint>
>>>
>>> <role-name>user</role-name>
>>>
>>> <role-name>admin</role-name>
>>>
>>> </auth-constraint>
>>>
>>> </security-constraint>
>>>
>>> <security-constraint>
>>>
>>> <web-resource-collection>
>>>
>>> <web-resource-name>admin
>>> closed part</web-resource-name>
>>>
>>> <url-pattern>/Server/admin/*</url-pattern>
>>>
>>> </web-resource-collection>
>>>
>>> <auth-constraint>
>>>
>>> <role-name>admin</role-name>
>>>
>>> </auth-constraint>
>>>
>>> </security-constraint>
>>>
>>> <login-config>
>>>
>>> <auth-method>FORM</auth-method>
>>>
>>> <form-login-config>
>>>
>>> <form-login-page>/Server/index.jsp</form-login-page>
>>>
>>> <form-error-page>/Server/index.jsp</form-error-page>
>>>
>>> </form-login-config>
>>>
>>> </login-config>
>>>
>>> <security-role>
>>>
>>> <role-name>admin</role-name>
>>>
>>> <role-name>user</role-name>
>>>
>>> </security-role>
>>>
>>> <!--inserted to here-->
>>>
>>>
>>>
>>> <servlet>
>>>
>>>
>>> <servlet-name>default</servlet-name>
>>>
>>>
>>> <servlet-class>org.apache.catalina.servlets.DefaultServlet</servlet-class>
>>>
>>> <init-param>
>>>
>>> ......
>>>
>>>
>>>
>>>> Date: Wed, 18 Aug 2010 12:00:39 +0100
>>>> From: pid@pidster.com
>>>> To: users@tomcat.apache.org
>>>> Subject: Re: Configure read/write-access in TomCat
>>>>
>>>> On 18/08/2010 10:44, K A wrote:
>>>>>
>>>>> Hello
>>>>>
>>>>> I've developed a web-application in which I'd like to have some control of which resources are accessed by whom. My project is called "Server" in which I've got 3 directories: "/user" which all roles are allowed to access, "/admin" which ONLY administrators are allowed to access and "resources" in which I've got some files which users are allowed to read and administrators are allowed to both read and write.
>>>>>
>>>>> I'm using a FORM to login. The form action is "POST" and the action is "j_security_check", the username field's name is "j_username" and the password field's is "j_password".
>>>>> I've implemented a security-check in the jsp-file itself where I'm checking for the type of login the current user has. If the type is aproved then the user is allowed to access the page.
>>>>>
>>>>> But when I test the application and try to access the files in the other library then I've got access no matter what. This wasn't the intension.
>>>>>
>>>>> I've tried to follow several tutorials online but no matter what I can't get it to work ouf the right way.
>>>>>
>>>>> I've tried to configure the web.xml manually but it doesn't work. I've tried to use the "manager" through the browser but that doesn't seem to deliver the possibility to setup those restriction.
>>>>
>>>> What have you tried?
>>>>
>>>>
>>>>> Can somebody please give me a detailed walkthrough on how to achieve this?
>>>>>
>>>>> I'm using TomCat 6.0, JVM 1.5.0_20 SUN and Windows XP 5.1.Thankyou very much in advance!
>>>>
>>>> Why do people think it's called 'TomCat'? It's *Tomcat*.
>>>>
>>>>
>>>> p
>>>>
>>>>
>>>>> Best regards,
>>>>> Kenneth Andersen
>>>>> k_k_andersen@hotmail.com
>>>>>
>>>>
>>>
>>
>
Re: Configure read/write-access in TomCat
Posted by André Warnier <aw...@ice-sa.com>.
K A wrote:
> Ah, so the web.xaml in /tomcat/conf has nothing to do with the issue - it's only the web.xml in the project itself?
The conf/web.xml is the web.xml for the "default servlet".
The webapps/your-webapp/WEB-INF/web.xml is the one that dictates what happens when users
access /your-webapp/*.
When Tomcat processes a request, it will first look at the URL and determine to which
"webapp" (or context) it should pass the request.
Say the URL is "/your-webapp/some-document.txt".
Tomcat will look at the file webapps/your-webapp/WEB-INF/web.xml, to see if there is any
mapping there that assigns "/some-document.txt" to some servlet or JSP page inside
your-webapp. If it finds one, then it will invoke that servlet/JSP, and pass the request
to it.
If Tomcat does not find any mapping inside that application's web.xml file that is
applicable to "/some-document.txt", then it will look into the conf/web.xml file to find
an appropriate mapping. If it finds one (which it always does) then it will invoke its
default servlet to handle this call.
The default servlet is essentially one that will look onto the filesystem for a file named
"(tomcat-dir)/webapps/your-webapp/some-document.txt", and return a copy "as is" to the
browser.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Configure read/write-access in TomCat
Posted by André Warnier <aw...@ice-sa.com>.
Caldarale, Charles R wrote:
>> From: André Warnier [mailto:aw@ice-sa.com]
>> Subject: Re: Configure read/write-access in TomCat
>
>> the process by which Tomcat, for each deplayed webapp, first reads
>> and "processes" the conf/web.xml, then reads and "processes" the
>> applications WEB-INF/web.xml, and then "merges" both according to
>> some internal logic, is specific to Tomcat, and is NOT very well
>> documented at present in the on-line documentation ?
>
> I don't think I'd say it's not well documented, but the documentation is not sufficiently detailed to cover all possibilities.
>
>> Well actually I do.
>
> I'm shocked :-)
>
>> - I do not know enough of Tomcat and even Java to write
>> something coherent and correct
>
> Java knowledge isn't required here.
>
>> - I find the process of contributing Tomcat documentation
>> changes rather overwhelming, technically speaking.
>
> I'd agree it's a bit obtuse for the first-timer.
>
>> And whereabout would I find the original Tomcat code which does
>> this, on the off-chance I might actually understand it enough to
>> write something not totally wrong ?
>
> I'd start here:
>
> org/apache/catalina/startup/ContextConfig.java
> org/apache/catalina/core/StandardContext.java
>
>> Or, might the process better be described as :
>>
>> As Tomcat deploys each web application, it first installs
>> the default servlet and its associated web.xml descriptor
>> CATALINA_BASE/conf/web.xml for this web application, then
>> it overrides this setup by any servlets and descriptor
>> (application/WEB-INF/web.xml) provided by the application
>> itself (if any). In case of overlapping or conflicting
>> settings, the web application specific settings have precedence.
>
> The word "installs" is inappropriate, as is the focus on the default servlet. There are several servlets defined in conf/web.xml (the DefaultServlet being just one of them), along with quite a bit of other tidbits such as welcome files and MIME mappings. Deployment does not involve "installing" servlets, but rather building name space maps to translate URLs into classes, along with processing all the other junk in web.xml and the <Context> element.
>
The previous paragraph is right on the spot, to explain why I feel that I am lacking some
baggage here.
I was more thinking of an explanation "for the common man", you know, sysadmin-like.
But yours has potential. Maybe we could collaborate on this ? Like, you write the real
accurate technical explanation, and I translate into common international English ?
;-)
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Configure read/write-access in TomCat
Posted by "Caldarale, Charles R" <Ch...@unisys.com>.
> From: André Warnier [mailto:aw@ice-sa.com]
> Subject: Re: Configure read/write-access in TomCat
> the process by which Tomcat, for each deplayed webapp, first reads
> and "processes" the conf/web.xml, then reads and "processes" the
> applications WEB-INF/web.xml, and then "merges" both according to
> some internal logic, is specific to Tomcat, and is NOT very well
> documented at present in the on-line documentation ?
I don't think I'd say it's not well documented, but the documentation is not sufficiently detailed to cover all possibilities.
> Well actually I do.
I'm shocked :-)
> - I do not know enough of Tomcat and even Java to write
> something coherent and correct
Java knowledge isn't required here.
> - I find the process of contributing Tomcat documentation
> changes rather overwhelming, technically speaking.
I'd agree it's a bit obtuse for the first-timer.
> And whereabout would I find the original Tomcat code which does
> this, on the off-chance I might actually understand it enough to
> write something not totally wrong ?
I'd start here:
org/apache/catalina/startup/ContextConfig.java
org/apache/catalina/core/StandardContext.java
> Or, might the process better be described as :
>
> As Tomcat deploys each web application, it first installs
> the default servlet and its associated web.xml descriptor
> CATALINA_BASE/conf/web.xml for this web application, then
> it overrides this setup by any servlets and descriptor
> (application/WEB-INF/web.xml) provided by the application
> itself (if any). In case of overlapping or conflicting
> settings, the web application specific settings have precedence.
The word "installs" is inappropriate, as is the focus on the default servlet. There are several servlets defined in conf/web.xml (the DefaultServlet being just one of them), along with quite a bit of other tidbits such as welcome files and MIME mappings. Deployment does not involve "installing" servlets, but rather building name space maps to translate URLs into classes, along with processing all the other junk in web.xml and the <Context> element.
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Configure read/write-access in TomCat
Posted by Leo Donahue - PLANDEVX <Le...@mail.maricopa.gov>.
>-----Original Message-----
>From: André Warnier [mailto:aw@ice-sa.com]
>Subject: Re: Configure read/write-access in TomCat
>
>Comments at end.
>
>Caldarale, Charles R wrote:
>
> Do you know anyone who actually likes to write documentation?
>
>
>> André Warnier wrote:
>>
>>Well actually I do.
>>But it this case, I have a number of impediments :
>>- I do not know enough of Tomcat and even Java to write something coherent and correct
>>- I find the process of contributing Tomcat documentation changes rather overwhelming, technically speaking.
>>(Which I guess explains also why not many other people feel like correcting the docs.)
>>
>>But let's suppose that I would try to write a summary of this process.
>>Where would it fit in the documentation ?
>>And whereabout would I find the original Tomcat code which does this, on the off-chance I
>>might actually understand it enough to write something not totally wrong?
>>
>>Or, might the process better be described as :
>>
>As Tomcat deploys each web application, it first installs the default
>servlet and its
>associated web.xml descriptor CATALINA_BASE/conf/web.xml for this web
>application, then it
>overrides this setup by any servlets and descriptor (application/WEB-
>INF/web.xml) provided
>by the application itself (if any). In case of overlapping or
>conflicting settings, the
>web application specific settings have precedence.
http://tomcat.apache.org/tomcat-6.0-doc/architecture/startup/serverStartup.txt
Sequence 2. c) c)3 - the last sentence.
Obviously, this is "supposedly" for Tomcat 6, but the doc reads "Tomcat 5 Startup Sequence".
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Configure read/write-access in TomCat
Posted by André Warnier <aw...@ice-sa.com>.
Comments at end.
Caldarale, Charles R wrote:
>> From: André Warnier [mailto:aw@ice-sa.com]
>> Subject: Re: Configure read/write-access in TomCat
>>
>> Would you gurus mind pointing out where exactly ?
>
> Not sure what you want pointed out.
>
>> I am looking at the online documentation of Tomcat 7, at
>> http://tomcat.apache.org/tomcat-7.0-doc/index.html,
>> and not finding it.
>
> What is "it"?
>
>> I am also having trouble finding it in the Servlet Specifications v 3.0
>> (I mean specifically where it says that the "default" web.xml is being
>> merged with the application-specific web.xml.)
>
> That won't be in the spec - it's a characteristic of Tomcat. Other containers operate differently.
>
>> If you refer to the content itself of the conf/web.xml file
>
> That's what Pid was talking about.
>
>> here is all it has to say :
>>
>> This document defines default values for *all* web applications
>> loaded into this instance of Tomcat. As each application is
>> deployed, this file is processed, followed by the
>> "/WEB-INF/web.xml" deployment descriptor from your own
>> applications.
>
> That's the key information.
>
>> For example, it does not clearly speak of merging, nor in case
>> of merge which possibly overlapping or conflicting directive has
>> precedence (one wopuld presume the webapp, but then presumptions
>> are sometimes misleading).
>
> Yes, the settings in the webapp's WEB-INF/web.xml override those in the global. I can't find any explicit statement to that effect either, but that is how it works.
>
Ok, can I then summarise this by now slightly but not quite off-topic series of messages
by saying that, contrary to what some previous answers would imply, the process by which
Tomcat, for each deplayed webapp, first reads and "processes" the conf/web.xml, then reads
and "processes" the applications WEB-INF/web.xml, and then "merges" both according to some
internal logic, is specific to Tomcat, and is NOT very well documented at present in the
on-line documentation ?
...
>
> Do you know anyone who actually likes to write documentation?
>
Well actually I do.
But it this case, I have a number of impediments :
- I do not know enough of Tomcat and even Java to write something coherent and correct
- I find the process of contributing Tomcat documentation changes rather overwhelming,
technically speaking.
(Which I guess explains also why not many other people feel like correcting the docs.)
But let's suppose that I would try to write a summary of this process. Where would it fit
in the documentation ?
And whereabout would I find the original Tomcat code which does this, on the off-chance I
might actually understand it enough to write something not totally wrong ?
Or, might the process better be described as :
As Tomcat deploys each web application, it first installs the default servlet and its
associated web.xml descriptor CATALINA_BASE/conf/web.xml for this web application, then it
overrides this setup by any servlets and descriptor (application/WEB-INF/web.xml) provided
by the application itself (if any). In case of overlapping or conflicting settings, the
web application specific settings have precedence.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Configure read/write-access in TomCat
Posted by "Caldarale, Charles R" <Ch...@unisys.com>.
> From: André Warnier [mailto:aw@ice-sa.com]
> Subject: Re: Configure read/write-access in TomCat
>
> Would you gurus mind pointing out where exactly ?
Not sure what you want pointed out.
> I am looking at the online documentation of Tomcat 7, at
> http://tomcat.apache.org/tomcat-7.0-doc/index.html,
> and not finding it.
What is "it"?
> I am also having trouble finding it in the Servlet Specifications v 3.0
> (I mean specifically where it says that the "default" web.xml is being
> merged with the application-specific web.xml.)
That won't be in the spec - it's a characteristic of Tomcat. Other containers operate differently.
> If you refer to the content itself of the conf/web.xml file
That's what Pid was talking about.
> here is all it has to say :
>
> This document defines default values for *all* web applications
> loaded into this instance of Tomcat. As each application is
> deployed, this file is processed, followed by the
> "/WEB-INF/web.xml" deployment descriptor from your own
> applications.
That's the key information.
> For example, it does not clearly speak of merging, nor in case
> of merge which possibly overlapping or conflicting directive has
> precedence (one wopuld presume the webapp, but then presumptions
> are sometimes misleading).
Yes, the settings in the webapp's WEB-INF/web.xml override those in the global. I can't find any explicit statement to that effect either, but that is how it works.
> By the way, according to http://tomcat.apache.org/whichversion.html,
> Tomcat 7 follows the Servlet Spec 3.0. But in most of the online
> documentation, it refers only to earlier versions of the specs,
> like here : http://tomcat.apache.org/tomcat-7.0-doc/index.html
Patches are always welcome.
> And as long that I'm at it, following the link "Introduction"
> on this last page, one comes to a page where the paragraph
> "Terminology" is all but enlightening..
Do you know anyone who actually likes to write documentation?
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Configure read/write-access in TomCat
Posted by Markus Schönhaber <to...@list-post.mks-mail.de>.
18.08.2010 16:55, André Warnier:
> Pid wrote:
>> On 18/08/2010 14:56, Caldarale, Charles R wrote:
>>>> From: André Warnier [mailto:aw@ice-sa.com]
>>>> Subject: Re: Configure read/write-access in TomCat
>>>>
>>>> The conf/web.xml is the web.xml for the "default servlet".
>>> It's a bit more than that, actually. The contents of conf/web.xml are logically merged into a webapp's own WEB-INF/web.xml when the webapp is deployed. Changing conf/web.xml effectively changes every deployed webapp, which is rarely desirable.
>>
>> N.B. It's well commented and worth reading.
>>
>
> Would you gurus mind pointing out where exactly ?
>
> I am looking at the online documentation of Tomcat 7, at
> http://tomcat.apache.org/tomcat-7.0-doc/index.html,
> and not finding it.
From
http://tomcat.apache.org/tomcat-7.0-doc/config/context.html#Introduction
| Context elements may be explicitly defined:
|
| * In the $CATALINA_BASE/conf/context.xml file: the Context element
information will be loaded by all webapps.
| [...]
> I am also having trouble finding it in the Servlet Specifications v 3.0
AFAIK that's Tomcat-specific and has nothing to do with the spec.
> (I mean specifically where it says that the "default" web.xml is being merged with the
> application-specific web.xml.)
>
> If you refer to the content itself of the conf/web.xml file, here is all it has to say :
>
> <!-- ======================== Introduction ============================== -->
> <!-- This document defines default values for *all* web applications -->
> <!-- loaded into this instance of Tomcat. As each application is -->
> <!-- deployed, this file is processed, followed by the -->
> <!-- "/WEB-INF/web.xml" deployment descriptor from your own -->
> <!-- applications. -->
> <!-- -->
>
> For example, it does not clearly speak of merging,
Well, Chuck simply used the term "merge" to explain how things are.
Of course, since it's Chuck, it could be seen as a specification ;-)
> nor in case of merge which possibly
> overlapping or conflicting directive has precedence (one wopuld presume the webapp, but
> then presumptions are sometimes misleading).
I didn't find that explicitly stated in the docs either.
--
Regards
mks
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Configure read/write-access in TomCat
Posted by André Warnier <aw...@ice-sa.com>.
Pid wrote:
> On 18/08/2010 14:56, Caldarale, Charles R wrote:
>>> From: André Warnier [mailto:aw@ice-sa.com]
>>> Subject: Re: Configure read/write-access in TomCat
>>>
>>> The conf/web.xml is the web.xml for the "default servlet".
>> It's a bit more than that, actually. The contents of conf/web.xml are logically merged into a webapp's own WEB-INF/web.xml when the webapp is deployed. Changing conf/web.xml effectively changes every deployed webapp, which is rarely desirable.
>
> N.B. It's well commented and worth reading.
>
Would you gurus mind pointing out where exactly ?
I am looking at the online documentation of Tomcat 7, at
http://tomcat.apache.org/tomcat-7.0-doc/index.html,
and not finding it.
I am also having trouble finding it in the Servlet Specifications v 3.0
(I mean specifically where it says that the "default" web.xml is being merged with the
application-specific web.xml.)
If you refer to the content itself of the conf/web.xml file, here is all it has to say :
<!-- ======================== Introduction ============================== -->
<!-- This document defines default values for *all* web applications -->
<!-- loaded into this instance of Tomcat. As each application is -->
<!-- deployed, this file is processed, followed by the -->
<!-- "/WEB-INF/web.xml" deployment descriptor from your own -->
<!-- applications. -->
<!-- -->
For example, it does not clearly speak of merging, nor in case of merge which possibly
overlapping or conflicting directive has precedence (one wopuld presume the webapp, but
then presumptions are sometimes misleading).
By the way, according to http://tomcat.apache.org/whichversion.html, Tomcat 7 follows the
Servlet Spec 3.0.
But in most of the online documentation, it refers only to earlier versions of the specs,
like here : http://tomcat.apache.org/tomcat-7.0-doc/index.html
And as long that I'm at it, following the link "Introduction" on this last page, one comes
to a page (http://tomcat.apache.org/tomcat-7.0-doc/introduction.html), where the paragraph
"Terminology" is all but enlightening..
(but has been that way since a few versions, so maybe it is I who fails to understand the
subtlety of it's formulation)
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Configure read/write-access in TomCat
Posted by Pid <pi...@pidster.com>.
On 18/08/2010 14:56, Caldarale, Charles R wrote:
>> From: André Warnier [mailto:aw@ice-sa.com]
>> Subject: Re: Configure read/write-access in TomCat
>>
>> The conf/web.xml is the web.xml for the "default servlet".
>
> It's a bit more than that, actually. The contents of conf/web.xml are logically merged into a webapp's own WEB-INF/web.xml when the webapp is deployed. Changing conf/web.xml effectively changes every deployed webapp, which is rarely desirable.
N.B. It's well commented and worth reading.
p
> THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
RE: Configure read/write-access in TomCat
Posted by "Caldarale, Charles R" <Ch...@unisys.com>.
> From: André Warnier [mailto:aw@ice-sa.com]
> Subject: Re: Configure read/write-access in TomCat
>
> The conf/web.xml is the web.xml for the "default servlet".
It's a bit more than that, actually. The contents of conf/web.xml are logically merged into a webapp's own WEB-INF/web.xml when the webapp is deployed. Changing conf/web.xml effectively changes every deployed webapp, which is rarely desirable.
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Configure read/write-access in TomCat
Posted by André Warnier <aw...@ice-sa.com>.
K A wrote:
> Ah, so the web.xaml in /tomcat/conf has nothing to do with the issue - it's only the web.xml in the project itself?
The conf/web.xml is the web.xml for the "default servlet".
The webapps/your-webapp/WEB-INF/web.xml is the one that dictates what happens when users
access /your-webapp/*.
When Tomcat processes a request, it will first look at the URL and determine to which
"webapp" (or context) it should pass the request.
Say the URL is "/your-webapp/some-document.txt".
Tomcat will look at the file webapps/your-webapp/WEB-INF/web.xml, to see if there is any
mapping there that assigns "/some-document.txt" to some servlet or JSP page inside
your-webapp. If it finds one, then it will invoke that servlet/JSP, and pass the request
to it.
If Tomcat does not find any mapping inside that application's web.xml file that is
applicable to "/some-document.txt", then it will look into the conf/web.xml file to find
an appropriate mapping. If it finds one (which it always does) then it will invoke its
default servlet to handle this call.
The default servlet is essentially one that will look onto the filesystem for a file named
"(tomcat-dir)/webapps/your-webapp/some-document.txt", and return a copy "as is" to the
browser.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Configure read/write-access in TomCat
Posted by K A <k_...@hotmail.com>.
Ah, so the web.xaml in /tomcat/conf has nothing to do with the issue - it's only the web.xml in the project itself?
I just read that tomcat do not allow write-access to directories. So I guess my main issue in my question is of no concern then as the users don't have any rights to access the files in the actual directory unless the files are access through a servlet of jsp-page in this case?
> Date: Wed, 18 Aug 2010 13:13:55 +0100
> From: pid@pidster.com
> To: users@tomcat.apache.org
> Subject: Re: Configure read/write-access in TomCat
>
> On 18/08/2010 12:16, K A wrote:
> >
> > In /tomcat/Webapps/Projectname/web-inf:
>
> Capitals matter. WEB-INF is the correct directory name.
>
> > I have inserted this part:
> > ....
> > - <!--inserted from her -->
> > - <security-constraint>
> > - <web-resource-collection>
> > <web-resource-name>user open part</web-resource-name>
> > <url-pattern>/Server/user/*</url-pattern>
> > </web-resource-collection>
> > - <auth-constraint>
> > <role-name>user</role-name>
> > <role-name>admin</role-name>
> > </auth-constraint>
> > </security-constraint>
> > - <security-constraint>
> > - <web-resource-collection>
> > <web-resource-name>admin closed part</web-resource-name>
> > <url-pattern>/Server/admin/*</url-pattern>
> > </web-resource-collection>
> > - <auth-constraint>
> > <role-name>admin</role-name>
> > </auth-constraint>
> > </security-constraint>
> > - <login-config>
> >
> >
> > <auth-method>FORM</auth-method>
> >
> > - <form-login-config>
> > <form-login-page>/Server/index.jsp</form-login-page>
> > <form-error-page>/Server/index.jsp</form-error-page>
>
> Paths are relative, I'd also recommend putting two separate files in an
> location that can't be directly requested. e.g.
>
> /WEB-INF/login/form.jsp
> /WEB-INF/login/error.jsp
>
> > </form-login-config>
> > </login-config>
> >
> > - <security-role>
> > <role-name>admin</role-name>
> > <role-name>user</role-name>
> > </security-role>
> > - <!--inserted to here -->
> >
> > - <servlet>
> > ...
> >
> >
> > In /tomcat/Conf/web.xml:
>
> Don't do that. Also, it should be 'conf'.
>
>
> p
>
> > I have inserted this part:
> > .................
> >
> >
> > <!--inserted from here-->
> >
> > <security-constraint>
> >
> > <web-resource-collection>
> >
> > <web-resource-name>user
> > open part</web-resource-name>
> >
> > <url-pattern>/Server/user/*</url-pattern>
> >
> > </web-resource-collection>
> >
> > <auth-constraint>
> >
> > <role-name>user</role-name>
> >
> > <role-name>admin</role-name>
> >
> > </auth-constraint>
> >
> > </security-constraint>
> >
> > <security-constraint>
> >
> > <web-resource-collection>
> >
> > <web-resource-name>admin
> > closed part</web-resource-name>
> >
> > <url-pattern>/Server/admin/*</url-pattern>
> >
> > </web-resource-collection>
> >
> > <auth-constraint>
> >
> > <role-name>admin</role-name>
> >
> > </auth-constraint>
> >
> > </security-constraint>
> >
> > <login-config>
> >
> > <auth-method>FORM</auth-method>
> >
> > <form-login-config>
> >
> > <form-login-page>/Server/index.jsp</form-login-page>
> >
> > <form-error-page>/Server/index.jsp</form-error-page>
> >
> > </form-login-config>
> >
> > </login-config>
> >
> > <security-role>
> >
> > <role-name>admin</role-name>
> >
> > <role-name>user</role-name>
> >
> > </security-role>
> >
> > <!--inserted to here-->
> >
> >
> >
> > <servlet>
> >
> >
> > <servlet-name>default</servlet-name>
> >
> >
> > <servlet-class>org.apache.catalina.servlets.DefaultServlet</servlet-class>
> >
> > <init-param>
> >
> > ......
> >
> >
> >
> >> Date: Wed, 18 Aug 2010 12:00:39 +0100
> >> From: pid@pidster.com
> >> To: users@tomcat.apache.org
> >> Subject: Re: Configure read/write-access in TomCat
> >>
> >> On 18/08/2010 10:44, K A wrote:
> >>>
> >>> Hello
> >>>
> >>> I've developed a web-application in which I'd like to have some control of which resources are accessed by whom. My project is called "Server" in which I've got 3 directories: "/user" which all roles are allowed to access, "/admin" which ONLY administrators are allowed to access and "resources" in which I've got some files which users are allowed to read and administrators are allowed to both read and write.
> >>>
> >>> I'm using a FORM to login. The form action is "POST" and the action is "j_security_check", the username field's name is "j_username" and the password field's is "j_password".
> >>> I've implemented a security-check in the jsp-file itself where I'm checking for the type of login the current user has. If the type is aproved then the user is allowed to access the page.
> >>>
> >>> But when I test the application and try to access the files in the other library then I've got access no matter what. This wasn't the intension.
> >>>
> >>> I've tried to follow several tutorials online but no matter what I can't get it to work ouf the right way.
> >>>
> >>> I've tried to configure the web.xml manually but it doesn't work. I've tried to use the "manager" through the browser but that doesn't seem to deliver the possibility to setup those restriction.
> >>
> >> What have you tried?
> >>
> >>
> >>> Can somebody please give me a detailed walkthrough on how to achieve this?
> >>>
> >>> I'm using TomCat 6.0, JVM 1.5.0_20 SUN and Windows XP 5.1.Thankyou very much in advance!
> >>
> >> Why do people think it's called 'TomCat'? It's *Tomcat*.
> >>
> >>
> >> p
> >>
> >>
> >>> Best regards,
> >>> Kenneth Andersen
> >>> k_k_andersen@hotmail.com
> >>>
> >>
> >
>
Re: Configure read/write-access in TomCat
Posted by Pid <pi...@pidster.com>.
On 18/08/2010 12:16, K A wrote:
>
> In /tomcat/Webapps/Projectname/web-inf:
Capitals matter. WEB-INF is the correct directory name.
> I have inserted this part:
> ....
> - <!--inserted from her -->
> - <security-constraint>
> - <web-resource-collection>
> <web-resource-name>user open part</web-resource-name>
> <url-pattern>/Server/user/*</url-pattern>
> </web-resource-collection>
> - <auth-constraint>
> <role-name>user</role-name>
> <role-name>admin</role-name>
> </auth-constraint>
> </security-constraint>
> - <security-constraint>
> - <web-resource-collection>
> <web-resource-name>admin closed part</web-resource-name>
> <url-pattern>/Server/admin/*</url-pattern>
> </web-resource-collection>
> - <auth-constraint>
> <role-name>admin</role-name>
> </auth-constraint>
> </security-constraint>
> - <login-config>
>
>
> <auth-method>FORM</auth-method>
>
> - <form-login-config>
> <form-login-page>/Server/index.jsp</form-login-page>
> <form-error-page>/Server/index.jsp</form-error-page>
Paths are relative, I'd also recommend putting two separate files in an
location that can't be directly requested. e.g.
/WEB-INF/login/form.jsp
/WEB-INF/login/error.jsp
> </form-login-config>
> </login-config>
>
> - <security-role>
> <role-name>admin</role-name>
> <role-name>user</role-name>
> </security-role>
> - <!--inserted to here -->
>
> - <servlet>
> ...
>
>
> In /tomcat/Conf/web.xml:
Don't do that. Also, it should be 'conf'.
p
> I have inserted this part:
> .................
>
>
> <!--inserted from here-->
>
> <security-constraint>
>
> <web-resource-collection>
>
> <web-resource-name>user
> open part</web-resource-name>
>
> <url-pattern>/Server/user/*</url-pattern>
>
> </web-resource-collection>
>
> <auth-constraint>
>
> <role-name>user</role-name>
>
> <role-name>admin</role-name>
>
> </auth-constraint>
>
> </security-constraint>
>
> <security-constraint>
>
> <web-resource-collection>
>
> <web-resource-name>admin
> closed part</web-resource-name>
>
> <url-pattern>/Server/admin/*</url-pattern>
>
> </web-resource-collection>
>
> <auth-constraint>
>
> <role-name>admin</role-name>
>
> </auth-constraint>
>
> </security-constraint>
>
> <login-config>
>
> <auth-method>FORM</auth-method>
>
> <form-login-config>
>
> <form-login-page>/Server/index.jsp</form-login-page>
>
> <form-error-page>/Server/index.jsp</form-error-page>
>
> </form-login-config>
>
> </login-config>
>
> <security-role>
>
> <role-name>admin</role-name>
>
> <role-name>user</role-name>
>
> </security-role>
>
> <!--inserted to here-->
>
>
>
> <servlet>
>
>
> <servlet-name>default</servlet-name>
>
>
> <servlet-class>org.apache.catalina.servlets.DefaultServlet</servlet-class>
>
> <init-param>
>
> ......
>
>
>
>> Date: Wed, 18 Aug 2010 12:00:39 +0100
>> From: pid@pidster.com
>> To: users@tomcat.apache.org
>> Subject: Re: Configure read/write-access in TomCat
>>
>> On 18/08/2010 10:44, K A wrote:
>>>
>>> Hello
>>>
>>> I've developed a web-application in which I'd like to have some control of which resources are accessed by whom. My project is called "Server" in which I've got 3 directories: "/user" which all roles are allowed to access, "/admin" which ONLY administrators are allowed to access and "resources" in which I've got some files which users are allowed to read and administrators are allowed to both read and write.
>>>
>>> I'm using a FORM to login. The form action is "POST" and the action is "j_security_check", the username field's name is "j_username" and the password field's is "j_password".
>>> I've implemented a security-check in the jsp-file itself where I'm checking for the type of login the current user has. If the type is aproved then the user is allowed to access the page.
>>>
>>> But when I test the application and try to access the files in the other library then I've got access no matter what. This wasn't the intension.
>>>
>>> I've tried to follow several tutorials online but no matter what I can't get it to work ouf the right way.
>>>
>>> I've tried to configure the web.xml manually but it doesn't work. I've tried to use the "manager" through the browser but that doesn't seem to deliver the possibility to setup those restriction.
>>
>> What have you tried?
>>
>>
>>> Can somebody please give me a detailed walkthrough on how to achieve this?
>>>
>>> I'm using TomCat 6.0, JVM 1.5.0_20 SUN and Windows XP 5.1.Thankyou very much in advance!
>>
>> Why do people think it's called 'TomCat'? It's *Tomcat*.
>>
>>
>> p
>>
>>
>>> Best regards,
>>> Kenneth Andersen
>>> k_k_andersen@hotmail.com
>>>
>>
>
RE: Configure read/write-access in TomCat
Posted by K A <k_...@hotmail.com>.
In /tomcat/Webapps/Projectname/web-inf:
I have inserted this part:
....
</resource-ref>
- <!--inserted from her -->
- <security-constraint>
- <web-resource-collection>
<web-resource-name>user open part</web-resource-name>
<url-pattern>/Server/user/*</url-pattern>
</web-resource-collection>
- <auth-constraint>
<role-name>user</role-name>
<role-name>admin</role-name>
</auth-constraint>
</security-constraint>
- <security-constraint>
- <web-resource-collection>
<web-resource-name>admin closed part</web-resource-name>
<url-pattern>/Server/admin/*</url-pattern>
</web-resource-collection>
- <auth-constraint>
<role-name>admin</role-name>
</auth-constraint>
</security-constraint>
- <login-config>
<auth-method>FORM</auth-method>
- <form-login-config>
<form-login-page>/Server/index.jsp</form-login-page>
<form-error-page>/Server/index.jsp</form-error-page>
</form-login-config>
</login-config>
- <security-role>
<role-name>admin</role-name>
<role-name>user</role-name>
</security-role>
- <!--inserted to here -->
- <servlet>
...
In /tomcat/Conf/web.xml:
I have inserted this part:
.................
<!--inserted from here-->
<security-constraint>
<web-resource-collection>
<web-resource-name>user
open part</web-resource-name>
<url-pattern>/Server/user/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>user</role-name>
<role-name>admin</role-name>
</auth-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>admin
closed part</web-resource-name>
<url-pattern>/Server/admin/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>admin</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/Server/index.jsp</form-login-page>
<form-error-page>/Server/index.jsp</form-error-page>
</form-login-config>
</login-config>
<security-role>
<role-name>admin</role-name>
<role-name>user</role-name>
</security-role>
<!--inserted to here-->
<servlet>
<servlet-name>default</servlet-name>
<servlet-class>org.apache.catalina.servlets.DefaultServlet</servlet-class>
<init-param>
......
> Date: Wed, 18 Aug 2010 12:00:39 +0100
> From: pid@pidster.com
> To: users@tomcat.apache.org
> Subject: Re: Configure read/write-access in TomCat
>
> On 18/08/2010 10:44, K A wrote:
> >
> > Hello
> >
> > I've developed a web-application in which I'd like to have some control of which resources are accessed by whom. My project is called "Server" in which I've got 3 directories: "/user" which all roles are allowed to access, "/admin" which ONLY administrators are allowed to access and "resources" in which I've got some files which users are allowed to read and administrators are allowed to both read and write.
> >
> > I'm using a FORM to login. The form action is "POST" and the action is "j_security_check", the username field's name is "j_username" and the password field's is "j_password".
> > I've implemented a security-check in the jsp-file itself where I'm checking for the type of login the current user has. If the type is aproved then the user is allowed to access the page.
> >
> > But when I test the application and try to access the files in the other library then I've got access no matter what. This wasn't the intension.
> >
> > I've tried to follow several tutorials online but no matter what I can't get it to work ouf the right way.
> >
> > I've tried to configure the web.xml manually but it doesn't work. I've tried to use the "manager" through the browser but that doesn't seem to deliver the possibility to setup those restriction.
>
> What have you tried?
>
>
> > Can somebody please give me a detailed walkthrough on how to achieve this?
> >
> > I'm using TomCat 6.0, JVM 1.5.0_20 SUN and Windows XP 5.1.Thankyou very much in advance!
>
> Why do people think it's called 'TomCat'? It's *Tomcat*.
>
>
> p
>
>
> > Best regards,
> > Kenneth Andersen
> > k_k_andersen@hotmail.com
> >
>
Re: Configure read/write-access in TomCat
Posted by Pid <pi...@pidster.com>.
On 18/08/2010 10:44, K A wrote:
>
> Hello
>
> I've developed a web-application in which I'd like to have some control of which resources are accessed by whom. My project is called "Server" in which I've got 3 directories: "/user" which all roles are allowed to access, "/admin" which ONLY administrators are allowed to access and "resources" in which I've got some files which users are allowed to read and administrators are allowed to both read and write.
>
> I'm using a FORM to login. The form action is "POST" and the action is "j_security_check", the username field's name is "j_username" and the password field's is "j_password".
> I've implemented a security-check in the jsp-file itself where I'm checking for the type of login the current user has. If the type is aproved then the user is allowed to access the page.
>
> But when I test the application and try to access the files in the other library then I've got access no matter what. This wasn't the intension.
>
> I've tried to follow several tutorials online but no matter what I can't get it to work ouf the right way.
>
> I've tried to configure the web.xml manually but it doesn't work. I've tried to use the "manager" through the browser but that doesn't seem to deliver the possibility to setup those restriction.
What have you tried?
> Can somebody please give me a detailed walkthrough on how to achieve this?
>
> I'm using TomCat 6.0, JVM 1.5.0_20 SUN and Windows XP 5.1.Thankyou very much in advance!
Why do people think it's called 'TomCat'? It's *Tomcat*.
p
> Best regards,
> Kenneth Andersen
> k_k_andersen@hotmail.com
>
Re: Configure read/write-access in TomCat
Posted by André Warnier <aw...@ice-sa.com>.
Mark Thomas wrote:
> On 20/08/2010 18:56, André Warnier wrote:
>> Mark Thomas wrote:
>>> On 18/08/2010 13:32, André Warnier wrote:
>>>> What do you mean by "write" ? There is nothing in tomcat itself which
>>>> allows users to write anywhere on the server.
>>> I know I am coming late to this thread but to be pedantic that is not
>>> correct.
>>>
>> The above was written with the intention of not confusing the OP more
>> than necessary.
>> But I could have written : There is nothing enabled by default in Tomcat
>> itself..
>
> +1.
>
>>> Tomcat supports HTTP PUT (implemented in the default Servlet) but it is
>>> disabled by default for the obvious security reasons.
>> And enabling it would force the Tomcat team to decide on the exact
>> semantics of a PUT.
>
> I'm fairly confident the Tomcat community is perfectly clear on what
> they are - helped considerably by a very clearly written HTTP spec.
>
>> I remember some discussion about this a while ago, in relation to SOAP
>> or REST if my memory serves.
>> ;-)
>
> I think you mean this one:
> http://tomcat.markmail.org/thread/d2tx3ptegydolzeq
>
> The result of which was this enhancement request:
> https://issues.apache.org/bugzilla/show_bug.cgi?id=48692
>
>
Exactly.
re ;-)
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Configure read/write-access in TomCat
Posted by Mark Thomas <ma...@apache.org>.
On 20/08/2010 18:56, André Warnier wrote:
> Mark Thomas wrote:
>> On 18/08/2010 13:32, André Warnier wrote:
>>> What do you mean by "write" ? There is nothing in tomcat itself which
>>> allows users to write anywhere on the server.
>>
>> I know I am coming late to this thread but to be pedantic that is not
>> correct.
>>
> The above was written with the intention of not confusing the OP more
> than necessary.
> But I could have written : There is nothing enabled by default in Tomcat
> itself..
+1.
>> Tomcat supports HTTP PUT (implemented in the default Servlet) but it is
>> disabled by default for the obvious security reasons.
>
> And enabling it would force the Tomcat team to decide on the exact
> semantics of a PUT.
I'm fairly confident the Tomcat community is perfectly clear on what
they are - helped considerably by a very clearly written HTTP spec.
> I remember some discussion about this a while ago, in relation to SOAP
> or REST if my memory serves.
> ;-)
I think you mean this one:
http://tomcat.markmail.org/thread/d2tx3ptegydolzeq
The result of which was this enhancement request:
https://issues.apache.org/bugzilla/show_bug.cgi?id=48692
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Configure read/write-access in TomCat
Posted by André Warnier <aw...@ice-sa.com>.
Mark Thomas wrote:
> On 18/08/2010 13:32, André Warnier wrote:
>> What do you mean by "write" ? There is nothing in tomcat itself which
>> allows users to write anywhere on the server.
>
> I know I am coming late to this thread but to be pedantic that is not
> correct.
>
The above was written with the intention of not confusing the OP more than necessary.
But I could have written : There is nothing enabled by default in Tomcat itself..
> Tomcat supports HTTP PUT (implemented in the default Servlet) but it is
> disabled by default for the obvious security reasons.
And enabling it would force the Tomcat team to decide on the exact semantics of a PUT.
I remember some discussion about this a while ago, in relation to SOAP or REST if my
memory serves.
;-)
>
> Also, if you enable the WebDAV Servlet, you have even more options to
> add content to the server.
>
That on the other hand was clearly mentioned.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Configure read/write-access in TomCat
Posted by Mark Thomas <ma...@apache.org>.
On 18/08/2010 13:32, André Warnier wrote:
> What do you mean by "write" ? There is nothing in tomcat itself which
> allows users to write anywhere on the server.
I know I am coming late to this thread but to be pedantic that is not
correct.
Tomcat supports HTTP PUT (implemented in the default Servlet) but it is
disabled by default for the obvious security reasons.
Also, if you enable the WebDAV Servlet, you have even more options to
add content to the server.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Configure read/write-access in TomCat
Posted by André Warnier <aw...@ice-sa.com>.
K A wrote:
> Oh, really? I just guessed that if the user could see the absolute url to used/available files in the application (jsp- or pdf-files) then it was also possible that the user could compromise the files in that directory, overwrite them or even save new files. But you state that users can NOT save new files in a directory. Then they can NOT do any of the other stated actions, right? Or have I misunderstood?
>
Unless users have access to these directories/files by another way than through Tomcat,
there is no way for them, using Tomcat, to modify any of these directories/files, even if
they can see them through their web browser and Tomcat.
Unless one of your Tomcat-based applications allows them to do that of course.
An example of how users could modify those files :
if the directories where those files are, are shared as network directories, and users
have direct access to these directories through e.g. Windows Explorer, then of course
there is nothing that Tomcat can do to protect them.
Maybe to clarify another aspect :
The Tomcat process itself runs under some user-id. All web applications running under
Tomcat "run as" this same user-id. It does not matter which web user is accessing the
Tomcat application; any file access by a Tomcat web application always happens under the
user-id of Tomcat.
The web user's user-id is purely a matter for Tomcat, to allow/disallow access to some
resource and return a copy of it to the user through HTTP, or return a "forbidden"
response. But when Tomcat reads the resource from disk, it always reads it as "tomcat"
(that is, the user-id under which tomcat is started).
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Configure read/write-access in TomCat
Posted by K A <k_...@hotmail.com>.
Oh, really? I just guessed that if the user could see the absolute url to used/available files in the application (jsp- or pdf-files) then it was also possible that the user could compromise the files in that directory, overwrite them or even save new files. But you state that users can NOT save new files in a directory. Then they can NOT do any of the other stated actions, right? Or have I misunderstood?
Thanks!
> Date: Wed, 18 Aug 2010 13:32:00 +0200
> From: aw@ice-sa.com
> To: users@tomcat.apache.org
> Subject: Re: Configure read/write-access in TomCat
>
> K A wrote:
> > Hello
> >
> > I've developed a web-application in which I'd like to have some control of which resources are accessed by whom. My project is called "Server" in which I've got 3 directories: "/user" which all roles are allowed to access, "/admin" which ONLY administrators are allowed to access and "resources" in which I've got some files which users are allowed to read and administrators are allowed to both read and write.
>
> What do you mean by "write" ? There is nothing in tomcat itself which allows users to
> write anywhere on the server.
> If it is your application which allows some users to do that, then it belongs to your
> application to check their permissions to do so.
>
> >
> > I'm using a FORM to login. The form action is "POST" and the action is "j_security_check", the username field's name is "j_username" and the password field's is "j_password".
> > I've implemented a security-check in the jsp-file itself where I'm checking for the type of login the current user has. If the type is aproved then the user is allowed to access the page.
> >
>
> That is all very nice, but mostly irrelevant. The important thing here is that your
> application would know who the user is, if it wants to control access to some functions in
> function of the user.
>
> > But when I test the application and try to access the files in the other library then I've got access no matter what. This wasn't the intension.
> >
>
> ...
> >
> > Can somebody please give me a detailed walkthrough on how to achieve this?
> >
> I believe that for that, you'll have to be prepared to pay someone.
>
> To say the above in another way : in tomcat itself, there is no mechanism for allowing a
> user to upload anything and write it somewhere on the server.
> So you will not find anything in the tomcat documentation which explains how to do what
> you want.
>
> You will have to look for a separate web application which does that.
> And such an application would most probably contain some form of a permissions mechanism.
>
> One such application is DAV, which used to be included in the tomcat sample applications.
> If you use the "Find Page" button in the FAQ, and enter "DAV", it shows some links which
> might help you.
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
Re: Configure read/write-access in TomCat
Posted by André Warnier <aw...@ice-sa.com>.
K A wrote:
> Hello
>
> I've developed a web-application in which I'd like to have some control of which resources are accessed by whom. My project is called "Server" in which I've got 3 directories: "/user" which all roles are allowed to access, "/admin" which ONLY administrators are allowed to access and "resources" in which I've got some files which users are allowed to read and administrators are allowed to both read and write.
What do you mean by "write" ? There is nothing in tomcat itself which allows users to
write anywhere on the server.
If it is your application which allows some users to do that, then it belongs to your
application to check their permissions to do so.
>
> I'm using a FORM to login. The form action is "POST" and the action is "j_security_check", the username field's name is "j_username" and the password field's is "j_password".
> I've implemented a security-check in the jsp-file itself where I'm checking for the type of login the current user has. If the type is aproved then the user is allowed to access the page.
>
That is all very nice, but mostly irrelevant. The important thing here is that your
application would know who the user is, if it wants to control access to some functions in
function of the user.
> But when I test the application and try to access the files in the other library then I've got access no matter what. This wasn't the intension.
>
...
>
> Can somebody please give me a detailed walkthrough on how to achieve this?
>
I believe that for that, you'll have to be prepared to pay someone.
To say the above in another way : in tomcat itself, there is no mechanism for allowing a
user to upload anything and write it somewhere on the server.
So you will not find anything in the tomcat documentation which explains how to do what
you want.
You will have to look for a separate web application which does that.
And such an application would most probably contain some form of a permissions mechanism.
One such application is DAV, which used to be included in the tomcat sample applications.
If you use the "Find Page" button in the FAQ, and enter "DAV", it shows some links which
might help you.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org