You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Chris Bush <sh...@hotmail.com> on 2000/08/14 20:13:02 UTC
issue
Hello, I am running Tomcat 3.1 on a RedHat Linux 6.1 system, as well as on a (gasp) Windows 2000 system. The problem I am having is not unique to either system. I was attempting to set up a security constraint in my web app, and using the Tomcat example as a reference - i.e. http://localhost:8080/examples/jsp/security/protected
This example's <security-constraint> and <login-config> sections are configured by default as part of the Tomcat installation, in the web.xml file for the examples context, as follows...
<security-constraint>
<web-resource-collection>
<web-resource-name>Protected Area</web-resource-name>
<!-- Define the context-relative URL(s) to be protected -->
<url-pattern>/jsp/security/protected/*</url-pattern>
<!-- If you list http methods, only those methods are protected -->
<http-method>DELETE</http-method>
<http-method>GET</http-method>
<http-method>POST</http-method>
<http-method>PUT</http-method>
</web-resource-collection>
<auth-constraint>
<!-- Anyone with one of the listed roles may access this area -->
<role-name>tomcat</role-name>
<role-name>role1</role-name>
</auth-constraint>
</security-constraint>
<!-- Default login configuration uses BASIC authentication -->
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>Example Basic Authentication Area</realm-name>
</login-config>
<!-- If you want to experiment with form-based logins, comment
out the <login-config> element above and replace it with
this one. Note that we are currently using a nonstandard
authentication method, because the code to support form
based login is incomplete and only lightly tested. -->
<!--
<login-config>
<auth-method>EXPERIMENTAL_FORM</auth-method>
<realm-name>Example Form-Based Authentication Area</realm-name>
<form-login-config>
<form-login-page>/jsp/security/login/login.jsp</form-login-page>
<form-error-page>/jsp/security/login/error.jsp</form-error-page>
</form-login-config>
</login-config>
-->
My problem is this - After authenticating to the BASIC authentication request, instead of delivering the index.jsp page in /examples/jsp/security/protected, it delivers me to the root directory of the examples context. This happens regardless of which platform I run the example on. I configured a security-constraint section in the web.xml file for a custom context I added to my server, as follows...
<security-constraint>
<web-resource-collection>
<web-resource-name>Protected Area</web-resource-name>
<!-- Define the context-relative URL(s) to be protected -->
<url-pattern>/secure/*</url-pattern>
<!-- If you list http methods, only those methods are protected -->
<http-method>DELETE</http-method>
<http-method>GET</http-method>
<http-method>POST</http-method>
<http-method>PUT</http-method>
</web-resource-collection>
<auth-constraint>
<!-- Anyone with one of the listed roles may access this area -->
<role-name>admin</role-name>
</auth-constraint>
</security-constraint>
with the same exact login-config section as the above example, and had the same problem. Note that the only difference in the <security-constraint> section is the <url-pattern> specified. Is there something that should go in the <web-resource-collection> besides the <url-pattern> to prevent this "re-mapping" back to the application's root directory?
Thanks in advance for any insight provided...
Chris Bush
apache + Tomcat + mod_jk on Linux
Posted by Andrew Stubbs <an...@stusoft.com>.
I have the following config
1) Apache installed and working perfectly - I have included the tomcat
mod_jk conf into the httpd.conf
2) Tomcat installed and examples are working on port 8080 (started Tomcat
before apache)
3) mod_jk is in the libexec directory (obtained from the tomcat site not
built by me)
But when I try and access the examples from the apache side it gives an
internal server error.
Ideas anyone ?
Andrew
Re: issue
Posted by Steve Millington <ru...@yahoo.com>.
I found this problem (or one like it) when I tried using security. I solved
it by moving to the Beta version of Tomcat. It looks like there was a
problem, but in the beta it is OK.
Steve
----- Original Message -----
From: Chris Bush
To: tomcat-user@jakarta.apache.org
Sent: Monday, August 14, 2000 7:13 PM
Subject: <security-constraint> issue
Hello, I am running Tomcat 3.1 on a RedHat Linux 6.1 system, as well as on a
(gasp) Windows 2000 system. The problem I am having is not unique to either
system. I was attempting to set up a security constraint in my web app, and
using the Tomcat example as a reference - i.e.
http://localhost:8080/examples/jsp/security/protected
This example's <security-constraint> and <login-config> sections are
configured by default as part of the Tomcat installation, in the web.xml
file for the examples context, as follows...
<security-constraint>
<web-resource-collection>
<web-resource-name>Protected Area</web-resource-name>
<!-- Define the context-relative URL(s) to be protected -->
<url-pattern>/jsp/security/protected/*</url-pattern>
<!-- If you list http methods, only those methods are protected -->
<http-method>DELETE</http-method>
<http-method>GET</http-method>
<http-method>POST</http-method>
<http-method>PUT</http-method>
</web-resource-collection>
<auth-constraint>
<!-- Anyone with one of the listed roles may access this area -->
<role-name>tomcat</role-name>
<role-name>role1</role-name>
</auth-constraint>
</security-constraint>
<!-- Default login configuration uses BASIC authentication -->
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>Example Basic Authentication Area</realm-name>
</login-config>
<!-- If you want to experiment with form-based logins, comment
out the <login-config> element above and replace it with
this one. Note that we are currently using a nonstandard
authentication method, because the code to support form
based login is incomplete and only lightly tested. -->
<!--
<login-config>
<auth-method>EXPERIMENTAL_FORM</auth-method>
<realm-name>Example Form-Based Authentication Area</realm-name>
<form-login-config>
<form-login-page>/jsp/security/login/login.jsp</form-login-page>
<form-error-page>/jsp/security/login/error.jsp</form-error-page>
</form-login-config>
</login-config>
-->
My problem is this - After authenticating to the BASIC authentication
request, instead of delivering the index.jsp page in
/examples/jsp/security/protected, it delivers me to the root directory of
the examples context. This happens regardless of which platform I run the
example on. I configured a security-constraint section in the web.xml file
for a custom context I added to my server, as follows...
<security-constraint>
<web-resource-collection>
<web-resource-name>Protected Area</web-resource-name>
<!-- Define the context-relative URL(s) to be protected -->
<url-pattern>/secure/*</url-pattern>
<!-- If you list http methods, only those methods are protected -->
<http-method>DELETE</http-method>
<http-method>GET</http-method>
<http-method>POST</http-method>
<http-method>PUT</http-method>
</web-resource-collection>
<auth-constraint>
<!-- Anyone with one of the listed roles may access this area -->
<role-name>admin</role-name>
</auth-constraint>
</security-constraint>
with the same exact login-config section as the above example, and had the
same problem. Note that the only difference in the <security-constraint>
section is the <url-pattern> specified. Is there something that should go
in the <web-resource-collection> besides the <url-pattern> to prevent this
"re-mapping" back to the application's root directory?
Thanks in advance for any insight provided...
Chris Bush
__________________________________________________
Do You Yahoo!?
Talk to your friends online with Yahoo! Messenger.
http://im.yahoo.com
Re: issue
Posted by Johan Peeters <jo...@alcatel.be>.
I think the problem is with release 3.1 - try moving up to 3.2.
Yo
Chris Bush wrote:
> Hello, I am running Tomcat 3.1 on a RedHat Linux 6.1 system, as well
> as on a (gasp) Windows 2000 system. The problem I am having is not
> unique to either system. I was attempting to set up a security
> constraint in my web app, and using the Tomcat example as a reference
> - i.e. http://localhost:8080/examples/jsp/security/protected This
> example's <security-constraint> and <login-config> sections are
> configured by default as part of the Tomcat installation, in the
> web.xml file for the examples context, as follows...
> <security-constraint>
> <web-resource-collection>
> <web-resource-name>Protected Area</web-resource-name>
> <!-- Define the context-relative URL(s) to be protected -->
> <url-pattern>/jsp/security/protected/*</url-pattern>
> <!-- If you list http methods, only those methods are protected -->
> <http-method>DELETE</http-method>
> <http-method>GET</http-method>
> <http-method>POST</http-method>
> <http-method>PUT</http-method>
> </web-resource-collection>
> <auth-constraint>
> <!-- Anyone with one of the listed roles may access this area
> -->
> <role-name>tomcat</role-name>
> <role-name>role1</role-name>
> </auth-constraint>
> </security-constraint> <!-- Default login configuration uses
> BASIC authentication -->
> <login-config>
> <auth-method>BASIC</auth-method>
> <realm-name>Example Basic Authentication Area</realm-name>
> </login-config> <!-- If you want to experiment with form-based
> logins, comment
> out the <login-config> element above and replace it with
> this one. Note that we are currently using a nonstandard
> authentication method, because the code to support form
> based login is incomplete and only lightly tested. -->
> <!--
> <login-config>
> <auth-method>EXPERIMENTAL_FORM</auth-method>
> <realm-name>Example Form-Based Authentication Area</realm-name>
> <form-login-config>
>
> <form-login-page>/jsp/security/login/login.jsp</form-login-page>
>
> <form-error-page>/jsp/security/login/error.jsp</form-error-page>
> </form-login-config>
> </login-config>
> -->My problem is this - After authenticating to the BASIC
> authentication request, instead of delivering the index.jsp page in
> /examples/jsp/security/protected, it delivers me to the root directory
> of the examples context. This happens regardless of which platform I
> run the example on. I configured a security-constraint section in the
> web.xml file for a custom context I added to my server, as
> follows... <security-constraint>
> <web-resource-collection>
> <web-resource-name>Protected Area</web-resource-name>
> <!-- Define the context-relative URL(s) to be protected -->
> <url-pattern>/secure/*</url-pattern>
> <!-- If you list http methods, only those methods are protected -->
> <http-method>DELETE</http-method>
> <http-method>GET</http-method>
> <http-method>POST</http-method>
> <http-method>PUT</http-method>
> </web-resource-collection>
> <auth-constraint>
> <!-- Anyone with one of the listed roles may access this area
> -->
> <role-name>admin</role-name>
> </auth-constraint>
> </security-constraint> with the same exact login-config section as
> the above example, and had the same problem. Note that the only
> difference in the <security-constraint> section is the <url-pattern>
> specified. Is there something that should go in the
> <web-resource-collection> besides the <url-pattern> to prevent this
> "re-mapping" back to the application's root directory? Thanks in
> advance for any insight provided...Chris Bush
--
Johan Peeters mailto:johan.peeters@alcatel.be
Software Architect - Net Commerce
Alcatel - Gen. De Wittelaan 11 A bus 1 - 2800 Mechelen - Belgium
Phone: +32 15 29 3427 Fax: +32 3 240 4800