subject:"Configure read\/write\-access in TomCat"


Hello

I've developed a web-application in which I'd like to have some control of 
which resources are accessed by whom. My project is called Server in which 
I've got 3 directories: /user which all roles are allowed to access, /admin 
which ONLY administrators are allowed to access and resources in which I've 
got some files which users are allowed to read and administrators are allowed 
to both read and write.

I'm using a FORM to login. The form action is POST and the action is 
j_security_check, the username field's name is j_username and the password 
field's is j_password.
I've implemented a security-check in the jsp-file itself where I'm checking for 
the type of login the current user has. If the type is aproved then the user is 
allowed to access the page.

But when I test the application and try to access the files in the other 
library then I've got access no matter what. This wasn't the intension. 

I've tried to follow several tutorials online but no matter what I can't get it 
to work ouf the right way.

I've tried to configure the web.xml manually but it doesn't work. I've tried to 
use the manager through the browser but that doesn't seem to deliver the 
possibility to setup those restriction.

Can somebody please give me a detailed walkthrough on how to achieve this?

I'm using TomCat 6.0, JVM 1.5.0_20 SUN and Windows XP 5.1.Thankyou very much in 
advance!

Best regards,
Kenneth Andersen
k_k_ander...@hotmail.com

Re: Configure read/write-access in TomCat

On 18/08/2010 10:44, K A wrote:
 
 Hello
 
 I've developed a web-application in which I'd like to have some control of 
 which resources are accessed by whom. My project is called Server in which 
 I've got 3 directories: /user which all roles are allowed to access, 
 /admin which ONLY administrators are allowed to access and resources in 
 which I've got some files which users are allowed to read and administrators 
 are allowed to both read and write.
 
 I'm using a FORM to login. The form action is POST and the action is 
 j_security_check, the username field's name is j_username and the 
 password field's is j_password.
 I've implemented a security-check in the jsp-file itself where I'm checking 
 for the type of login the current user has. If the type is aproved then the 
 user is allowed to access the page.
 
 But when I test the application and try to access the files in the other 
 library then I've got access no matter what. This wasn't the intension. 
 
 I've tried to follow several tutorials online but no matter what I can't get 
 it to work ouf the right way.
 
 I've tried to configure the web.xml manually but it doesn't work. I've tried 
 to use the manager through the browser but that doesn't seem to deliver the 
 possibility to setup those restriction.

What have you tried?


 Can somebody please give me a detailed walkthrough on how to achieve this?
 
 I'm using TomCat 6.0, JVM 1.5.0_20 SUN and Windows XP 5.1.Thankyou very much 
 in advance!

Why do people think it's called 'TomCat'?  It's *Tomcat*.


p


 Best regards,
 Kenneth Andersen
 k_k_ander...@hotmail.com
 



0x62590808.asc
Description: application/pgp-keys


signature.asc
Description: OpenPGP digital signature

RE: Configure read/write-access in TomCat


In /tomcat/Webapps/Projectname/web-inf:

I have inserted this part:




/resource-ref
- !--inserted from her  --

 

- security-constraint


- web-resource-collection


  web-resource-nameuser open part/web-resource-name 

  url-pattern/Server/user/*/url-pattern 

  /web-resource-collection

- auth-constraint


  role-nameuser/role-name 

  role-nameadmin/role-name 
  /auth-constraint
  /security-constraint

- security-constraint


- web-resource-collection


  web-resource-nameadmin closed part/web-resource-name 

  url-pattern/Server/admin/*/url-pattern 

  /web-resource-collection

- auth-constraint


  role-nameadmin/role-name 
  /auth-constraint
  /security-constraint

- login-config


  auth-methodFORM/auth-method 

- form-login-config


  form-login-page/Server/index.jsp/form-login-page 

  form-error-page/Server/index.jsp/form-error-page 
  /form-login-config
  /login-config

- security-role


  role-nameadmin/role-name 

  role-nameuser/role-name 
  /security-role
- !--inserted to here  --

 

- servlet
...


In /tomcat/Conf/web.xml:



I have inserted this part:
.


!--inserted from here--

  security-constraint

web-resource-collection

  web-resource-nameuser
open part/web-resource-name

  url-pattern/Server/user/*/url-pattern

/web-resource-collection

auth-constraint

  role-nameuser/role-name

  role-nameadmin/role-name

/auth-constraint

  /security-constraint

  security-constraint

web-resource-collection

  web-resource-nameadmin
closed part/web-resource-name

  url-pattern/Server/admin/*/url-pattern

/web-resource-collection

auth-constraint

  role-nameadmin/role-name

/auth-constraint

  /security-constraint

  login-config

auth-methodFORM/auth-method

form-login-config

  form-login-page/Server/index.jsp/form-login-page

  form-error-page/Server/index.jsp/form-error-page

/form-login-config

  /login-config

  security-role

role-nameadmin/role-name

role-nameuser/role-name

  /security-role

!--inserted to here--



servlet

   
servlet-namedefault/servlet-name

   
servlet-classorg.apache.catalina.servlets.DefaultServlet/servlet-class

init-param

..



 Date: Wed, 18 Aug 2010 12:00:39 +0100
 From: p...@pidster.com
 To: users@tomcat.apache.org
 Subject: Re: Configure read/write-access in TomCat
 
 On 18/08/2010 10:44, K A wrote:
  
  Hello
  
  I've developed a web-application in which I'd like to have some control of 
  which resources are accessed by whom. My project is called Server in 
  which I've got 3 directories: /user which all roles are allowed to 
  access, /admin which ONLY administrators are allowed to access and 
  resources in which I've got some files which users are allowed to read 
  and administrators are allowed to both read and write.
  
  I'm using a FORM to login. The form action is POST and the action is 
  j_security_check, the username field's name is j_username and the 
  password field's is j_password.
  I've implemented a security-check in the jsp-file itself where I'm checking 
  for the type of login the current user has. If the type is aproved then the 
  user is allowed to access the page.
  
  But when I test the application and try to access the files in the other 
  library then I've got access no matter what. This wasn't the intension. 
  
  I've tried to follow several tutorials online but no matter what I can't 
  get it to work ouf the right way.
  
  I've tried to configure the web.xml manually but it doesn't work. I've 
  tried to use the manager through the browser but that doesn't seem to 
  deliver the possibility to setup those restriction.
 
 What have you tried?
 
 
  Can somebody please give me a detailed walkthrough on how to achieve this?
  
  I'm using TomCat 6.0, JVM 1.5.0_20 SUN and Windows XP 5.1.Thankyou very 
  much in advance!
 
 Why do people think it's called 'TomCat'?  It's *Tomcat*.
 
 
 p
 
 
  Best regards,
  Kenneth Andersen
  k_k_ander...@hotmail.com

Re: Configure read/write-access in TomCat

K A wrote:

Hello

I've developed a web-application in which I'd like to have some control of which resources are accessed by whom. My
project is called Server in which I've got 3 directories: /user which all roles are allowed to
access, /admin which ONLY administrators are allowed to access and resources in which I've got
some files which users are allowed to read and administrators are allowed to both read and write.

What do you mean by write ? There is nothing in tomcat itself which allows users to
write anywhere on the server.
If it is your application which allows some users to do that, then it belongs to your
application to check their permissions to do so.

I'm using a FORM to login. The form action is POST and the action is j_security_check, the
username field's name is j_username and the password field's is j_password.
I've implemented a security-check in the jsp-file itself where I'm checking for
the type of login the current user has. If the type is aproved then the user is
allowed to access the page.

That is all very nice, but mostly irrelevant. The important thing here is that your
application would know who the user is, if it wants to control access to some functions in
function of the user.

But when I test the application and try to access the files in the other library then I've got access no matter what. This wasn't the intension.

...

Can somebody please give me a detailed walkthrough on how to achieve this?

I believe that for that, you'll have to be prepared to pay someone.

To say the above in another way : in tomcat itself, there is no mechanism for allowing a
user to upload anything and write it somewhere on the server.
So you will not find anything in the tomcat documentation which explains how to do what
you want.

You will have to look for a separate web application which does that.
And such an application would most probably contain some form of a permissions
mechanism.

One such application is DAV, which used to be included in the tomcat sample
applications.
If you use the Find Page button in the FAQ, and enter DAV, it shows some links which
might help you.

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Configure read/write-access in TomCat

On 18/08/2010 12:16, K A wrote:
 
 In /tomcat/Webapps/Projectname/web-inf:

Capitals matter.  WEB-INF is the correct directory name.

 I have inserted this part:
 
 - !--inserted from her  --
 - security-constraint
 - web-resource-collection
   web-resource-nameuser open part/web-resource-name 
   url-pattern/Server/user/*/url-pattern 
   /web-resource-collection
 - auth-constraint
   role-nameuser/role-name 
   role-nameadmin/role-name 
   /auth-constraint
   /security-constraint
 - security-constraint
 - web-resource-collection
   web-resource-nameadmin closed part/web-resource-name 
   url-pattern/Server/admin/*/url-pattern 
   /web-resource-collection
 - auth-constraint
   role-nameadmin/role-name 
   /auth-constraint
   /security-constraint
 - login-config
 
 
   auth-methodFORM/auth-method 
 
 - form-login-config
   form-login-page/Server/index.jsp/form-login-page 
   form-error-page/Server/index.jsp/form-error-page 

Paths are relative, I'd also recommend putting two separate files in an
location that can't be directly requested. e.g.

  /WEB-INF/login/form.jsp
  /WEB-INF/login/error.jsp

   /form-login-config
   /login-config
 
 - security-role
   role-nameadmin/role-name 
   role-nameuser/role-name 
   /security-role
 - !--inserted to here  --
 
 - servlet
 ...
 
 
 In /tomcat/Conf/web.xml:

Don't do that.  Also, it should be 'conf'.


p

 I have inserted this part:
 .
 
 
 !--inserted from here--
 
   security-constraint
 
 web-resource-collection
 
   web-resource-nameuser
 open part/web-resource-name
 
   url-pattern/Server/user/*/url-pattern
 
 /web-resource-collection
 
 auth-constraint
 
   role-nameuser/role-name
 
   role-nameadmin/role-name
 
 /auth-constraint
 
   /security-constraint
 
   security-constraint
 
 web-resource-collection
 
   web-resource-nameadmin
 closed part/web-resource-name
 
   url-pattern/Server/admin/*/url-pattern
 
 /web-resource-collection
 
 auth-constraint
 
   role-nameadmin/role-name
 
 /auth-constraint
 
   /security-constraint
 
   login-config
 
 auth-methodFORM/auth-method
 
 form-login-config
 
   form-login-page/Server/index.jsp/form-login-page
 
   form-error-page/Server/index.jsp/form-error-page
 
 /form-login-config
 
   /login-config
 
   security-role
 
 role-nameadmin/role-name
 
 role-nameuser/role-name
 
   /security-role
 
 !--inserted to here--
 
 
 
 servlet
 

 servlet-namedefault/servlet-name
 

 servlet-classorg.apache.catalina.servlets.DefaultServlet/servlet-class
 
 init-param
 
 ..
 
 
 
 Date: Wed, 18 Aug 2010 12:00:39 +0100
 From: p...@pidster.com
 To: users@tomcat.apache.org
 Subject: Re: Configure read/write-access in TomCat

 On 18/08/2010 10:44, K A wrote:

 Hello

 I've developed a web-application in which I'd like to have some control of 
 which resources are accessed by whom. My project is called Server in 
 which I've got 3 directories: /user which all roles are allowed to 
 access, /admin which ONLY administrators are allowed to access and 
 resources in which I've got some files which users are allowed to read 
 and administrators are allowed to both read and write.

 I'm using a FORM to login. The form action is POST and the action is 
 j_security_check, the username field's name is j_username and the 
 password field's is j_password.
 I've implemented a security-check in the jsp-file itself where I'm checking 
 for the type of login the current user has. If the type is aproved then the 
 user is allowed to access the page.

 But when I test the application and try to access the files in the other 
 library then I've got access no matter what. This wasn't the intension. 

 I've tried to follow several tutorials online but no matter what I can't 
 get it to work ouf the right way.

 I've tried to configure the web.xml manually but it doesn't work. I've 
 tried to use the manager through the browser but that doesn't seem to 
 deliver the possibility to setup those restriction.

 What have you tried?


 Can somebody please give me a detailed walkthrough on how to achieve this?

 I'm using TomCat 6.0, JVM 1.5.0_20 SUN and Windows XP 5.1.Thankyou very 
 much in advance!

 Why do people think it's called 'TomCat'?  It's *Tomcat*.


 p


 Best regards,
 Kenneth Andersen
 k_k_ander...@hotmail.com
   

 



0x62590808.asc
Description: application/pgp-keys


signature.asc
Description: OpenPGP digital signature

RE: Configure read/write-access in TomCat


Oh, really? I just guessed that if the user could see the absolute url to 
used/available files in the application (jsp- or pdf-files) then it was also 
possible that the user could compromise the files in that directory, overwrite 
them or even save new files. But you state that users can NOT save new files in 
a directory. Then they can NOT do any of the other stated actions, right? Or 
have I misunderstood?

Thanks!

 Date: Wed, 18 Aug 2010 13:32:00 +0200
 From: a...@ice-sa.com
 To: users@tomcat.apache.org
 Subject: Re: Configure read/write-access in TomCat
 
 K A wrote:
  Hello
  
  I've developed a web-application in which I'd like to have some control of 
  which resources are accessed by whom. My project is called Server in 
  which I've got 3 directories: /user which all roles are allowed to 
  access, /admin which ONLY administrators are allowed to access and 
  resources in which I've got some files which users are allowed to read 
  and administrators are allowed to both read and write.
 
 What do you mean by write ?  There is nothing in tomcat itself which allows 
 users to 
 write anywhere on the server.
 If it is your application which allows some users to do that, then it belongs 
 to your 
 application to check their permissions to do so.
 
  
  I'm using a FORM to login. The form action is POST and the action is 
  j_security_check, the username field's name is j_username and the 
  password field's is j_password.
  I've implemented a security-check in the jsp-file itself where I'm checking 
  for the type of login the current user has. If the type is aproved then the 
  user is allowed to access the page.
  
 
 That is all very nice, but mostly irrelevant. The important thing here is 
 that your 
 application would know who the user is, if it wants to control access to some 
 functions in 
 function of the user.
 
  But when I test the application and try to access the files in the other 
  library then I've got access no matter what. This wasn't the intension. 
  
 
 ...
  
  Can somebody please give me a detailed walkthrough on how to achieve this?
  
 I believe that for that, you'll have to be prepared to pay someone.
 
 To say the above in another way : in tomcat itself, there is no mechanism for 
 allowing a 
 user to upload anything and write it somewhere on the server.
 So you will not find anything in the tomcat documentation which explains how 
 to do what 
 you want.
 
 You will have to look for a separate web application which does that.
 And such an application would most probably contain some form of a 
 permissions mechanism.
 
 One such application is DAV, which used to be included in the tomcat sample 
 applications.
 If you use the Find Page button in the FAQ, and enter DAV, it shows some 
 links which 
 might help you.
 
 
 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org

RE: Configure read/write-access in TomCat

Ah, so the web.xaml in /tomcat/conf has nothing to do with the issue - it's 
only the web.xml in the project itself?
I just read that tomcat do not allow write-access to directories. So I guess my 
main issue in my question is of no concern then as the users don't have any 
rights to access the files in the actual directory unless the files are access 
through a servlet of jsp-page in this case? 

 Date: Wed, 18 Aug 2010 13:13:55 +0100
 From: p...@pidster.com
 To: users@tomcat.apache.org
 Subject: Re: Configure read/write-access in TomCat

 On 18/08/2010 12:16, K A wrote:

  In /tomcat/Webapps/Projectname/web-inf:

 Capitals matter.  WEB-INF is the correct directory name.

  I have inserted this part:

  - !--inserted from her  --
  - security-constraint
  - web-resource-collection
web-resource-nameuser open part/web-resource-name 
url-pattern/Server/user/*/url-pattern 
/web-resource-collection
  - auth-constraint
role-nameuser/role-name 
role-nameadmin/role-name 
/auth-constraint
/security-constraint
  - security-constraint
  - web-resource-collection
web-resource-nameadmin closed part/web-resource-name 
url-pattern/Server/admin/*/url-pattern 
/web-resource-collection
  - auth-constraint
role-nameadmin/role-name 
/auth-constraint
/security-constraint
  - login-config

auth-methodFORM/auth-method 

  - form-login-config
form-login-page/Server/index.jsp/form-login-page 
form-error-page/Server/index.jsp/form-error-page 

 Paths are relative, I'd also recommend putting two separate files in an
 location that can't be directly requested. e.g.

   /WEB-INF/login/form.jsp
   /WEB-INF/login/error.jsp

/form-login-config
/login-config

  - security-role
role-nameadmin/role-name 
role-nameuser/role-name 
/security-role
  - !--inserted to here  --

  - servlet
  ...

  In /tomcat/Conf/web.xml:

 Don't do that.  Also, it should be 'conf'.

 p

  I have inserted this part:
  .

  !--inserted from here--

security-constraint

  web-resource-collection

web-resource-nameuser
  open part/web-resource-name

url-pattern/Server/user/*/url-pattern

  /web-resource-collection

  auth-constraint

role-nameuser/role-name

role-nameadmin/role-name

  /auth-constraint

/security-constraint

security-constraint

  web-resource-collection

web-resource-nameadmin
  closed part/web-resource-name

url-pattern/Server/admin/*/url-pattern

  /web-resource-collection

  auth-constraint

role-nameadmin/role-name

  /auth-constraint

/security-constraint

login-config

  auth-methodFORM/auth-method

  form-login-config

form-login-page/Server/index.jsp/form-login-page

form-error-page/Server/index.jsp/form-error-page

  /form-login-config

/login-config

security-role

  role-nameadmin/role-name

  role-nameuser/role-name

/security-role

  !--inserted to here--

  servlet

  servlet-namedefault/servlet-name

  servlet-classorg.apache.catalina.servlets.DefaultServlet/servlet-class

  init-param

  ..

  Date: Wed, 18 Aug 2010 12:00:39 +0100
  From: p...@pidster.com
  To: users@tomcat.apache.org
  Subject: Re: Configure read/write-access in TomCat

  On 18/08/2010 10:44, K A wrote:

  Hello

  I've developed a web-application in which I'd like to have some control 
  of which resources are accessed by whom. My project is called Server in 
  which I've got 3 directories: /user which all roles are allowed to 
  access, /admin which ONLY administrators are allowed to access and 
  resources in which I've got some files which users are allowed to read 
  and administrators are allowed to both read and write.

  I'm using a FORM to login. The form action is POST and the action is 
  j_security_check, the username field's name is j_username and the 
  password field's is j_password.
  I've implemented a security-check in the jsp-file itself where I'm 
  checking for the type of login the current user has. If the type is 
  aproved then the user is allowed to access the page.

  But when I test the application and try to access the files in the other 
  library then I've got access no matter what. This wasn't the intension. 

  I've tried to follow several tutorials online but no matter what I can't 
  get it to work ouf the right way.

  I've tried to configure the web.xml manually but it doesn't work. I've 
  tried to use the manager through the browser but that doesn't seem to 
  deliver

Re: Configure read/write-access in TomCat


K A wrote:

Oh, really? I just guessed that if the user could see the absolute url to 
used/available files in the application (jsp- or pdf-files) then it was also 
possible that the user could compromise the files in that directory, overwrite 
them or even save new files. But you state that users can NOT save new files in 
a directory. Then they can NOT do any of the other stated actions, right? Or 
have I misunderstood?

Unless users have access to these directories/files by another way than through Tomcat, 
there is no way for them, using Tomcat, to modify any of these directories/files, even if 
they can see them through their web browser and Tomcat.

Unless one of your Tomcat-based applications allows them to do that of course.

An example of how users could modify those files :
if the directories where those files are, are shared as network directories, and users 
have direct access to these directories through e.g. Windows Explorer, then of course 
there is nothing that Tomcat can do to protect them.


Maybe to clarify another aspect :
The Tomcat process itself runs under some user-id.  All web applications running under 
Tomcat run as this same user-id.  It does not matter which web user is accessing the 
Tomcat application; any file access by a Tomcat web application always happens under the 
user-id of Tomcat.
The web user's user-id is purely a matter for Tomcat, to allow/disallow access to some 
resource and return a copy of it to the user through HTTP, or return a forbidden 
response.  But when Tomcat reads the resource from disk, it always reads it as tomcat 
(that is, the user-id under which tomcat is started).




-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Configure read/write-access in TomCat


K A wrote:

Ah, so the web.xaml in /tomcat/conf has nothing to do with the issue - it's 
only the web.xml in the project itself?


The conf/web.xml is the web.xml for the default servlet.
The webapps/your-webapp/WEB-INF/web.xml is the one that dictates what happens when users 
access /your-webapp/*.


When Tomcat processes a request, it will first look at the URL and determine to which 
webapp (or context) it should pass the request.


Say the URL is /your-webapp/some-document.txt.

Tomcat will look at the file webapps/your-webapp/WEB-INF/web.xml, to see if there is any 
mapping there that assigns /some-document.txt to some servlet or JSP page inside 
your-webapp.  If it finds one, then it will invoke that servlet/JSP, and pass the request 
to it.


If Tomcat does not find any mapping inside that application's web.xml file that is 
applicable to /some-document.txt, then it will look into the conf/web.xml file to find 
an appropriate mapping.  If it finds one (which it always does) then it will invoke its 
default servlet to handle this call.
The default servlet is essentially one that will look onto the filesystem for a file named 
(tomcat-dir)/webapps/your-webapp/some-document.txt, and return a copy as is to the 
browser.



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Configure read/write-access in TomCat


K A wrote:

Ah, so the web.xaml in /tomcat/conf has nothing to do with the issue - it's 
only the web.xml in the project itself?


The conf/web.xml is the web.xml for the default servlet.
The webapps/your-webapp/WEB-INF/web.xml is the one that dictates what happens 
when users
access /your-webapp/*.

When Tomcat processes a request, it will first look at the URL and determine to 
which
webapp (or context) it should pass the request.

Say the URL is /your-webapp/some-document.txt.

Tomcat will look at the file webapps/your-webapp/WEB-INF/web.xml, to see if 
there is any
mapping there that assigns /some-document.txt to some servlet or JSP page 
inside
your-webapp.  If it finds one, then it will invoke that servlet/JSP, and pass 
the request
to it.

If Tomcat does not find any mapping inside that application's web.xml file that 
is
applicable to /some-document.txt, then it will look into the conf/web.xml 
file to find
an appropriate mapping.  If it finds one (which it always does) then it will 
invoke its
default servlet to handle this call.
The default servlet is essentially one that will look onto the filesystem for a 
file named
(tomcat-dir)/webapps/your-webapp/some-document.txt, and return a copy as is 
to the
browser.



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Configure read/write-access in Tomcat

On 18/08/2010 14:06, K A wrote:
 
 Ah, so the web.xaml in /tomcat/conf has nothing to do with the issue - it's 
 only the web.xml in the project itself?

Authentication should be configured on an app-by-app basis, not in the
default web.xml, so yes, that's correct.

 I just read that tomcat do not allow write-access to directories. 

Why would it?  Special configuration/functionality is, as André
explained, required to enable such a function on most web servers,
Tomcat is no exception.

 So I guess my main issue in my question is of no concern then as the users 
 don't have any rights to access the files in the actual directory unless the 
 files are access through a servlet of jsp-page in this case? 

Depending on whether your understanding of 'Access' is the same one as
the rest of us are using.

Web servers publish files to everyone (unless you restrict access), but
don't allow those files to be edited (unless you enable it).

If you want your user  admin roles to restrict the read access, employ
the correct configuration as below.


p

 On 18/08/2010 12:16, K A wrote:

 In /tomcat/Webapps/Projectname/web-inf:

 Capitals matter.  WEB-INF is the correct directory name.

 I have inserted this part:
 
 - !--inserted from her  --
 - security-constraint
 - web-resource-collection
   web-resource-nameuser open part/web-resource-name 
   url-pattern/Server/user/*/url-pattern 
   /web-resource-collection
 - auth-constraint
   role-nameuser/role-name 
   role-nameadmin/role-name 
   /auth-constraint
   /security-constraint
 - security-constraint
 - web-resource-collection
   web-resource-nameadmin closed part/web-resource-name 
   url-pattern/Server/admin/*/url-pattern 
   /web-resource-collection
 - auth-constraint
   role-nameadmin/role-name 
   /auth-constraint
   /security-constraint
 - login-config


   auth-methodFORM/auth-method 

 - form-login-config
   form-login-page/Server/index.jsp/form-login-page 
   form-error-page/Server/index.jsp/form-error-page 

 Paths are relative, I'd also recommend putting two separate files in an
 location that can't be directly requested. e.g.

   /WEB-INF/login/form.jsp
   /WEB-INF/login/error.jsp

   /form-login-config
   /login-config

 - security-role
   role-nameadmin/role-name 
   role-nameuser/role-name 
   /security-role
 - !--inserted to here  --

 - servlet
 ...


 In /tomcat/Conf/web.xml:

 Don't do that.  Also, it should be 'conf'.


 p

 I have inserted this part:
 .


 !--inserted from here--

   security-constraint

 web-resource-collection

   web-resource-nameuser
 open part/web-resource-name

   url-pattern/Server/user/*/url-pattern

 /web-resource-collection

 auth-constraint

   role-nameuser/role-name

   role-nameadmin/role-name

 /auth-constraint

   /security-constraint

   security-constraint

 web-resource-collection

   web-resource-nameadmin
 closed part/web-resource-name

   url-pattern/Server/admin/*/url-pattern

 /web-resource-collection

 auth-constraint

   role-nameadmin/role-name

 /auth-constraint

   /security-constraint

   login-config

 auth-methodFORM/auth-method

 form-login-config

   form-login-page/Server/index.jsp/form-login-page

   form-error-page/Server/index.jsp/form-error-page

 /form-login-config

   /login-config

   security-role

 role-nameadmin/role-name

 role-nameuser/role-name

   /security-role

 !--inserted to here--



 servlet


 servlet-namedefault/servlet-name


 servlet-classorg.apache.catalina.servlets.DefaultServlet/servlet-class

 init-param

 ..



 Date: Wed, 18 Aug 2010 12:00:39 +0100
 From: p...@pidster.com
 To: users@tomcat.apache.org
 Subject: Re: Configure read/write-access in TomCat

 On 18/08/2010 10:44, K A wrote:

 Hello

 I've developed a web-application in which I'd like to have some control 
 of which resources are accessed by whom. My project is called Server in 
 which I've got 3 directories: /user which all roles are allowed to 
 access, /admin which ONLY administrators are allowed to access and 
 resources in which I've got some files which users are allowed to read 
 and administrators are allowed to both read and write.

 I'm using a FORM to login. The form action is POST and the action is 
 j_security_check, the username field's name is j_username and the 
 password field's is j_password.
 I've implemented a security-check in the jsp-file itself where I'm 
 checking for the type of login the current user has. If the type is 
 aproved then the user is allowed to access the page.

 But when I test the application and try to access the files in the other 
 library then I've got access no matter what

RE: Configure read/write-access in TomCat

2010-08-18 Thread Caldarale, Charles R

 From: André Warnier [mailto:a...@ice-sa.com]
 Subject: Re: Configure read/write-access in TomCat

 The conf/web.xml is the web.xml for the default servlet.

It's a bit more than that, actually.  The contents of conf/web.xml are 
logically merged into a webapp's own WEB-INF/web.xml when the webapp is 
deployed.  Changing conf/web.xml effectively changes every deployed webapp, 
which is rarely desirable.

 - Chuck

THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY 
MATERIAL and is thus for use only by the intended recipient. If you received 
this in error, please contact the sender and delete the e-mail and its 
attachments from all computers.

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Configure read/write-access in TomCat

On 18/08/2010 14:56, Caldarale, Charles R wrote:
 From: André Warnier [mailto:a...@ice-sa.com]
 Subject: Re: Configure read/write-access in TomCat

 The conf/web.xml is the web.xml for the default servlet.

 It's a bit more than that, actually.  The contents of conf/web.xml are 
 logically merged into a webapp's own WEB-INF/web.xml when the webapp is 
 deployed.  Changing conf/web.xml effectively changes every deployed webapp, 
 which is rarely desirable.

N.B.  It's well commented and worth reading.

p

 THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY 
 MATERIAL and is thus for use only by the intended recipient. If you received 
 this in error, please contact the sender and delete the e-mail and its 
 attachments from all computers.

 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org

0x62590808.asc
Description: application/pgp-keys

signature.asc
Description: OpenPGP digital signature

Re: Configure read/write-access in TomCat

Pid wrote:

On 18/08/2010 14:56, Caldarale, Charles R wrote:

From: André Warnier [mailto:a...@ice-sa.com]
Subject: Re: Configure read/write-access in TomCat

The conf/web.xml is the web.xml for the default servlet.

It's a bit more than that, actually.  The contents of conf/web.xml are 
logically merged into a webapp's own WEB-INF/web.xml when the webapp is 
deployed.  Changing conf/web.xml effectively changes every deployed webapp, 
which is rarely desirable.

N.B.  It's well commented and worth reading.

Would you gurus mind pointing out where exactly ?

I am looking at the online documentation of Tomcat 7, at 
http://tomcat.apache.org/tomcat-7.0-doc/index.html,

and not finding it.

I am also having trouble finding it in the Servlet Specifications v 3.0
(I mean specifically where it says that the default web.xml is being merged with the 
application-specific web.xml.)

If you refer to the content itself of the conf/web.xml file, here is all it has 
to say :

!--  Introduction == --
  !-- This document defines default values for *all* web applications  --
  !-- loaded into this instance of Tomcat.  As each application is --
  !-- deployed, this file is processed, followed by the--
  !-- /WEB-INF/web.xml deployment descriptor from your own   --
  !-- applications.--
  !--  --

For example, it does not clearly speak of merging, nor in case of merge which possibly 
overlapping or conflicting directive has precedence (one wopuld presume the webapp, but 
then presumptions are sometimes misleading).

By the way, according to http://tomcat.apache.org/whichversion.html, Tomcat 7 follows the 
Servlet Spec 3.0.
But in most of the online documentation, it refers only to earlier versions of the specs, 
like here : http://tomcat.apache.org/tomcat-7.0-doc/index.html

And as long that I'm at it, following the link Introduction on this last page, one comes 
to a page (http://tomcat.apache.org/tomcat-7.0-doc/introduction.html), where the paragraph 
Terminology is all but enlightening..
(but has been that way since a few versions, so maybe it is I who fails to understand the 
subtlety of it's formulation)

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Configure read/write-access in TomCat

2010-08-18 Thread Markus Schönhaber

18.08.2010 16:55, André Warnier:

 Pid wrote:
 On 18/08/2010 14:56, Caldarale, Charles R wrote:
 From: André Warnier [mailto:a...@ice-sa.com]
 Subject: Re: Configure read/write-access in TomCat

 The conf/web.xml is the web.xml for the default servlet.
 It's a bit more than that, actually.  The contents of conf/web.xml are 
 logically merged into a webapp's own WEB-INF/web.xml when the webapp is 
 deployed.  Changing conf/web.xml effectively changes every deployed webapp, 
 which is rarely desirable.

 N.B.  It's well commented and worth reading.

 Would you gurus mind pointing out where exactly ?

 I am looking at the online documentation of Tomcat 7, at 
 http://tomcat.apache.org/tomcat-7.0-doc/index.html,
 and not finding it.

From
http://tomcat.apache.org/tomcat-7.0-doc/config/context.html#Introduction

| Context elements may be explicitly defined:
|
| * In the $CATALINA_BASE/conf/context.xml file: the Context element
information will be loaded by all webapps.
| [...]

 I am also having trouble finding it in the Servlet Specifications v 3.0

AFAIK that's Tomcat-specific and has nothing to do with the spec.

 (I mean specifically where it says that the default web.xml is being merged 
 with the 
 application-specific web.xml.)

 If you refer to the content itself of the conf/web.xml file, here is all it 
 has to say :

 !--  Introduction == --
!-- This document defines default values for *all* web applications  
 --
!-- loaded into this instance of Tomcat.  As each application is 
 --
!-- deployed, this file is processed, followed by the
 --
!-- /WEB-INF/web.xml deployment descriptor from your own   
 --
!-- applications.
 --
!--  
 --

 For example, it does not clearly speak of merging,

Well, Chuck simply used the term merge to explain how things are.
Of course, since it's Chuck, it could be seen as a specification ;-)

 nor in case of merge which possibly 
 overlapping or conflicting directive has precedence (one wopuld presume the 
 webapp, but 
 then presumptions are sometimes misleading).

I didn't find that explicitly stated in the docs either.

-- 
Regards
  mks

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: Configure read/write-access in TomCat

2010-08-18 Thread Caldarale, Charles R

 From: André Warnier [mailto:a...@ice-sa.com]
 Subject: Re: Configure read/write-access in TomCat

 Would you gurus mind pointing out where exactly ?

Not sure what you want pointed out.

 I am looking at the online documentation of Tomcat 7, at
 http://tomcat.apache.org/tomcat-7.0-doc/index.html,
 and not finding it.

What is it?

 I am also having trouble finding it in the Servlet Specifications v 3.0
 (I mean specifically where it says that the default web.xml is being
 merged with the application-specific web.xml.)

That won't be in the spec - it's a characteristic of Tomcat.  Other containers 
operate differently.

 If you refer to the content itself of the conf/web.xml file

That's what Pid was talking about.

 here is all it has to say :

 This document defines default values for *all* web applications
 loaded into this instance of Tomcat.  As each application is
 deployed, this file is processed, followed by the
 /WEB-INF/web.xml deployment descriptor from your own
 applications.

That's the key information.

 For example, it does not clearly speak of merging, nor in case
 of merge which possibly overlapping or conflicting directive has
 precedence (one wopuld presume the webapp, but then presumptions 
 are sometimes misleading).

Yes, the settings in the webapp's WEB-INF/web.xml override those in the global. 
 I can't find any explicit statement to that effect either, but that is how it 
works.

 By the way, according to http://tomcat.apache.org/whichversion.html,
 Tomcat 7 follows the Servlet Spec 3.0.  But in most of the online 
 documentation, it refers only to earlier versions of the specs,
 like here : http://tomcat.apache.org/tomcat-7.0-doc/index.html

Patches are always welcome.

 And as long that I'm at it, following the link Introduction
 on this last page, one comes to a page where the paragraph 
 Terminology is all but enlightening..

Do you know anyone who actually likes to write documentation?

 - Chuck

THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY 
MATERIAL and is thus for use only by the intended recipient. If you received 
this in error, please contact the sender and delete the e-mail and its 
attachments from all computers.

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Configure read/write-access in TomCat

Comments at end.

Caldarale, Charles R wrote:

From: André Warnier [mailto:a...@ice-sa.com]
Subject: Re: Configure read/write-access in TomCat

Would you gurus mind pointing out where exactly ?

Not sure what you want pointed out.

I am looking at the online documentation of Tomcat 7, at
http://tomcat.apache.org/tomcat-7.0-doc/index.html,
and not finding it.

What is it?

I am also having trouble finding it in the Servlet Specifications v 3.0
(I mean specifically where it says that the default web.xml is being
merged with the application-specific web.xml.)

That won't be in the spec - it's a characteristic of Tomcat.  Other containers 
operate differently.

If you refer to the content itself of the conf/web.xml file

That's what Pid was talking about.

here is all it has to say :

This document defines default values for *all* web applications
loaded into this instance of Tomcat.  As each application is
deployed, this file is processed, followed by the
/WEB-INF/web.xml deployment descriptor from your own
applications.

That's the key information.

For example, it does not clearly speak of merging, nor in case
of merge which possibly overlapping or conflicting directive has
precedence (one wopuld presume the webapp, but then presumptions 
are sometimes misleading).

Yes, the settings in the webapp's WEB-INF/web.xml override those in the global. 
 I can't find any explicit statement to that effect either, but that is how it 
works.

Ok, can I then summarise this by now slightly but not quite off-topic series of messages 
by saying that, contrary to what some previous answers would imply, the process by which 
Tomcat, for each deplayed webapp, first reads and processes the conf/web.xml, then reads 
and processes the applications WEB-INF/web.xml, and then merges both according to some 
internal logic, is specific to Tomcat, and is NOT very well documented at present in the 
on-line documentation ?

...

 Do you know anyone who actually likes to write documentation?

Well actually I do.
But it this case, I have a number of impediments :
- I do not know enough of Tomcat and even Java to write something coherent and 
correct
- I find the process of contributing Tomcat documentation changes rather overwhelming, 
technically speaking.

(Which I guess explains also why not many other people feel like correcting the 
docs.)

But let's suppose that I would try to write a summary of this process.  Where would it fit 
 in the documentation ?
And whereabout would I find the original Tomcat code which does this, on the off-chance I 
might actually understand it enough to write something not totally wrong ?

Or, might the process better be described as :

As Tomcat deploys each web application, it first installs the default servlet and its 
associated web.xml descriptor CATALINA_BASE/conf/web.xml for this web application, then it 
overrides this setup by any servlets and descriptor (application/WEB-INF/web.xml) provided 
by the application itself (if any).  In case of overlapping or conflicting settings, the 
web application specific settings have precedence.

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: Configure read/write-access in TomCat

2010-08-18 Thread Leo Donahue - PLANDEVX

-Original Message-
From: André Warnier [mailto:a...@ice-sa.com]
Subject: Re: Configure read/write-access in TomCat

Comments at end.

Caldarale, Charles R wrote:

 Do you know anyone who actually likes to write documentation?

 André Warnier wrote:

Well actually I do.
But it this case, I have a number of impediments :
- I do not know enough of Tomcat and even Java to write something coherent 
and correct
- I find the process of contributing Tomcat documentation changes rather 
overwhelming, technically speaking.
(Which I guess explains also why not many other people feel like correcting 
the docs.)

But let's suppose that I would try to write a summary of this process.
Where would it fit in the documentation ?
And whereabout would I find the original Tomcat code which does this, on the 
off-chance I
might actually understand it enough to write something not totally wrong?

Or, might the process better be described as :

As Tomcat deploys each web application, it first installs the default
servlet and its
associated web.xml descriptor CATALINA_BASE/conf/web.xml for this web
application, then it
overrides this setup by any servlets and descriptor (application/WEB-
INF/web.xml) provided
by the application itself (if any).  In case of overlapping or
conflicting settings, the
web application specific settings have precedence.

http://tomcat.apache.org/tomcat-6.0-doc/architecture/startup/serverStartup.txt

Sequence 2.  c) c)3 - the last sentence.

Obviously, this is supposedly for Tomcat 6, but the doc reads Tomcat 5 
Startup Sequence.  

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: Configure read/write-access in TomCat

2010-08-18 Thread Caldarale, Charles R

 From: André Warnier [mailto:a...@ice-sa.com]
 Subject: Re: Configure read/write-access in TomCat

 the process by which Tomcat, for each deplayed webapp, first reads 
 and processes the conf/web.xml, then reads and processes the 
 applications WEB-INF/web.xml, and then merges both according to
 some internal logic, is specific to Tomcat, and is NOT very well
 documented at present in the on-line documentation ?

I don't think I'd say it's not well documented, but the documentation is not 
sufficiently detailed to cover all possibilities.

 Well actually I do.

I'm shocked :-)

 - I do not know enough of Tomcat and even Java to write 
 something coherent and correct

Java knowledge isn't required here.

 - I find the process of contributing Tomcat documentation 
 changes rather overwhelming, technically speaking.

I'd agree it's a bit obtuse for the first-timer.

 And whereabout would I find the original Tomcat code which does
 this, on the off-chance I might actually understand it enough to
 write something not totally wrong ?

I'd start here:

org/apache/catalina/startup/ContextConfig.java
org/apache/catalina/core/StandardContext.java

 Or, might the process better be described as :

 As Tomcat deploys each web application, it first installs 
 the default servlet and its associated web.xml descriptor 
 CATALINA_BASE/conf/web.xml for this web application, then
 it overrides this setup by any servlets and descriptor 
 (application/WEB-INF/web.xml) provided by the application
 itself (if any).  In case of overlapping or conflicting 
 settings, the web application specific settings have precedence.

The word installs is inappropriate, as is the focus on the default servlet.  
There are several servlets defined in conf/web.xml (the DefaultServlet being 
just one of them), along with quite a bit of other tidbits such as welcome 
files and MIME mappings.  Deployment does not involve installing servlets, 
but rather building name space maps to translate URLs into classes, along with 
processing all the other junk in web.xml and the Context element.

 - Chuck

THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY 
MATERIAL and is thus for use only by the intended recipient. If you received 
this in error, please contact the sender and delete the e-mail and its 
attachments from all computers.

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Configure read/write-access in TomCat