You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Kevin Andryc <ka...@miser.umass.edu> on 2002/07/11 22:19:00 UTC

Tomcat 4.0.4 Realm Question

I was wondering how I can protect certain servlet subdirectories. For
example, lets say that in WEB-INF/classes I have two subdirectories: app1
and app2. How do I use the security-constraint to protect (force the user to
login) app1 but not have them login to classes in app2? I have tried this in
my web.xml file, but the login page doesn't appear and I go directly to the
page:

<security-constraint>
      <display-name>Example Security Constraint</display-name>
      <web-resource-collection>
         <web-resource-name>Protected Area</web-resource-name>
         <url-pattern>/servlet/app1.*</url-pattern>
	 <http-method>DELETE</http-method>
             <http-method>GET</http-method>
             <http-method>POST</http-method>
	 <http-method>PUT</http-method>
      </web-resource-collection>
      <auth-constraint>
             <role-name>usr</role-name>
      </auth-constraint>
    </security-constraint>

Is this possible? If so, how can this be achieved?

Kevin

Kevin Andryc
Web Systems Engineer
MISER
http://www.umass.edu/miser/
Phone: (413)-545-3460
kandryc@miser.umass.edu





--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>

Re: Tomcat 4.0.4 Realm Question

Posted by Eddie Bush <ek...@swbell.net>.
Which connector are you using?  Is this TC stand-alone or TC + Apache?

IF this is TC + Apache AND the "files you're protecting" happen to be 
static content, it's possible Apache is serving them and bypassing your 
security constraints.  If, for example, you're running TC + Apache + 
mod_jk (my setup), then I can personally guarantee you that this will be 
the exact behavior with static content :-)  LOL I spent several hours 
trying to set up a security constraint on a FULLY STATIC application 
(/tomcat-docs) before I stopped and realized that there was no way it 
COULD protect it!

If this fits your situation, you need to look at how Apache can deny 
access to the directory - or - change it to dynamic content (JSPs 
instead of HTMLs).

Regards,

Eddie

Kevin Andryc wrote:

>I was wondering how I can protect certain servlet subdirectories. For
>example, lets say that in WEB-INF/classes I have two subdirectories: app1
>and app2. How do I use the security-constraint to protect (force the user to
>login) app1 but not have them login to classes in app2? I have tried this in
>my web.xml file, but the login page doesn't appear and I go directly to the
>page:
>
><security-constraint>
>      <display-name>Example Security Constraint</display-name>
>      <web-resource-collection>
>         <web-resource-name>Protected Area</web-resource-name>
>         <url-pattern>/servlet/app1.*</url-pattern>
>	 <http-method>DELETE</http-method>
>             <http-method>GET</http-method>
>             <http-method>POST</http-method>
>	 <http-method>PUT</http-method>
>      </web-resource-collection>
>      <auth-constraint>
>             <role-name>usr</role-name>
>      </auth-constraint>
>    </security-constraint>
>
>Is this possible? If so, how can this be achieved?
>
>Kevin
>
>Kevin Andryc
>Web Systems Engineer
>MISER
>http://www.umass.edu/miser/
>Phone: (413)-545-3460
>kandryc@miser.umass.edu
>
>
>
>
>
>--
>To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
>For additional commands, e-mail: <ma...@jakarta.apache.org>
>
>




--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>