You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Kevin Andryc <ka...@miser.umass.edu> on 2002/07/11 22:19:00 UTC
Tomcat 4.0.4 Realm Question
I was wondering how I can protect certain servlet subdirectories. For
example, lets say that in WEB-INF/classes I have two subdirectories: app1
and app2. How do I use the security-constraint to protect (force the user to
login) app1 but not have them login to classes in app2? I have tried this in
my web.xml file, but the login page doesn't appear and I go directly to the
page:
<security-constraint>
<display-name>Example Security Constraint</display-name>
<web-resource-collection>
<web-resource-name>Protected Area</web-resource-name>
<url-pattern>/servlet/app1.*</url-pattern>
<http-method>DELETE</http-method>
<http-method>GET</http-method>
<http-method>POST</http-method>
<http-method>PUT</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>usr</role-name>
</auth-constraint>
</security-constraint>
Is this possible? If so, how can this be achieved?
Kevin
Kevin Andryc
Web Systems Engineer
MISER
http://www.umass.edu/miser/
Phone: (413)-545-3460
kandryc@miser.umass.edu
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: Tomcat 4.0.4 Realm Question
Posted by Eddie Bush <ek...@swbell.net>.
Which connector are you using? Is this TC stand-alone or TC + Apache?
IF this is TC + Apache AND the "files you're protecting" happen to be
static content, it's possible Apache is serving them and bypassing your
security constraints. If, for example, you're running TC + Apache +
mod_jk (my setup), then I can personally guarantee you that this will be
the exact behavior with static content :-) LOL I spent several hours
trying to set up a security constraint on a FULLY STATIC application
(/tomcat-docs) before I stopped and realized that there was no way it
COULD protect it!
If this fits your situation, you need to look at how Apache can deny
access to the directory - or - change it to dynamic content (JSPs
instead of HTMLs).
Regards,
Eddie
Kevin Andryc wrote:
>I was wondering how I can protect certain servlet subdirectories. For
>example, lets say that in WEB-INF/classes I have two subdirectories: app1
>and app2. How do I use the security-constraint to protect (force the user to
>login) app1 but not have them login to classes in app2? I have tried this in
>my web.xml file, but the login page doesn't appear and I go directly to the
>page:
>
><security-constraint>
> <display-name>Example Security Constraint</display-name>
> <web-resource-collection>
> <web-resource-name>Protected Area</web-resource-name>
> <url-pattern>/servlet/app1.*</url-pattern>
> <http-method>DELETE</http-method>
> <http-method>GET</http-method>
> <http-method>POST</http-method>
> <http-method>PUT</http-method>
> </web-resource-collection>
> <auth-constraint>
> <role-name>usr</role-name>
> </auth-constraint>
> </security-constraint>
>
>Is this possible? If so, how can this be achieved?
>
>Kevin
>
>Kevin Andryc
>Web Systems Engineer
>MISER
>http://www.umass.edu/miser/
>Phone: (413)-545-3460
>kandryc@miser.umass.edu
>
>
>
>
>
>--
>To unsubscribe, e-mail: <ma...@jakarta.apache.org>
>For additional commands, e-mail: <ma...@jakarta.apache.org>
>
>
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>