Re: Configure read/write-access in TomCat
On 20/08/2010 18:56, André Warnier wrote: Mark Thomas wrote: On 18/08/2010 13:32, André Warnier wrote: What do you mean by write ? There is nothing in tomcat itself which allows users to write anywhere on the server. I know I am coming late to this thread but to be pedantic that is not correct. The above was written with the intention of not confusing the OP more than necessary. But I could have written : There is nothing enabled by default in Tomcat itself.. +1. Tomcat supports HTTP PUT (implemented in the default Servlet) but it is disabled by default for the obvious security reasons. And enabling it would force the Tomcat team to decide on the exact semantics of a PUT. I'm fairly confident the Tomcat community is perfectly clear on what they are - helped considerably by a very clearly written HTTP spec. I remember some discussion about this a while ago, in relation to SOAP or REST if my memory serves. ;-) I think you mean this one: http://tomcat.markmail.org/thread/d2tx3ptegydolzeq The result of which was this enhancement request: https://issues.apache.org/bugzilla/show_bug.cgi?id=48692 Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Configure read/write-access in TomCat
Mark Thomas wrote: On 20/08/2010 18:56, André Warnier wrote: Mark Thomas wrote: On 18/08/2010 13:32, André Warnier wrote: What do you mean by write ? There is nothing in tomcat itself which allows users to write anywhere on the server. I know I am coming late to this thread but to be pedantic that is not correct. The above was written with the intention of not confusing the OP more than necessary. But I could have written : There is nothing enabled by default in Tomcat itself.. +1. Tomcat supports HTTP PUT (implemented in the default Servlet) but it is disabled by default for the obvious security reasons. And enabling it would force the Tomcat team to decide on the exact semantics of a PUT. I'm fairly confident the Tomcat community is perfectly clear on what they are - helped considerably by a very clearly written HTTP spec. I remember some discussion about this a while ago, in relation to SOAP or REST if my memory serves. ;-) I think you mean this one: http://tomcat.markmail.org/thread/d2tx3ptegydolzeq The result of which was this enhancement request: https://issues.apache.org/bugzilla/show_bug.cgi?id=48692 Exactly. re ;-) - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Configure read/write-access in TomCat
On 18/08/2010 13:32, André Warnier wrote: What do you mean by write ? There is nothing in tomcat itself which allows users to write anywhere on the server. I know I am coming late to this thread but to be pedantic that is not correct. Tomcat supports HTTP PUT (implemented in the default Servlet) but it is disabled by default for the obvious security reasons. Also, if you enable the WebDAV Servlet, you have even more options to add content to the server. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Configure read/write-access in TomCat
Mark Thomas wrote: On 18/08/2010 13:32, André Warnier wrote: What do you mean by write ? There is nothing in tomcat itself which allows users to write anywhere on the server. I know I am coming late to this thread but to be pedantic that is not correct. The above was written with the intention of not confusing the OP more than necessary. But I could have written : There is nothing enabled by default in Tomcat itself.. Tomcat supports HTTP PUT (implemented in the default Servlet) but it is disabled by default for the obvious security reasons. And enabling it would force the Tomcat team to decide on the exact semantics of a PUT. I remember some discussion about this a while ago, in relation to SOAP or REST if my memory serves. ;-) Also, if you enable the WebDAV Servlet, you have even more options to add content to the server. That on the other hand was clearly mentioned. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Configure read/write-access in TomCat
My project-name is Server - but I guess that your answer still is correct. Thanks! Den 19-08-2010 05:06, Christopher Schultz skrev: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Mr. Andersen, On 8/18/2010 7:16 AM, K A wrote: security-constraint web-resource-collection web-resource-nameuser open part/web-resource-name url-pattern/Server/user/*/url-pattern /web-resource-collection auth-constraint role-nameuser/role-name role-nameadmin/role-name /auth-constraint /security-constraint Your URL pattern is wrong: the URL should be relative to the context, not to the server. Presumably, your webapp's name is Server, and the context path is /Server. That means that your URL pattern ought to be: url-pattern/user/*/url-pattern I couldn't see if anyone actually answered your question, here, or just argued about how well-documented conf/web.xml was. Hope that helps. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkxsn7YACgkQ9CaO5/Lv0PD8wQCgqhQO4lZakkFERdZuoOEWOHih TXwAn1wbwPsnpxnV8a92qjjAtR0tWSJt =P2ht -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Configure read/write-access in TomCat
Hello I've developed a web-application in which I'd like to have some control of which resources are accessed by whom. My project is called Server in which I've got 3 directories: /user which all roles are allowed to access, /admin which ONLY administrators are allowed to access and resources in which I've got some files which users are allowed to read and administrators are allowed to both read and write. I'm using a FORM to login. The form action is POST and the action is j_security_check, the username field's name is j_username and the password field's is j_password. I've implemented a security-check in the jsp-file itself where I'm checking for the type of login the current user has. If the type is aproved then the user is allowed to access the page. But when I test the application and try to access the files in the other library then I've got access no matter what. This wasn't the intension. I've tried to follow several tutorials online but no matter what I can't get it to work ouf the right way. I've tried to configure the web.xml manually but it doesn't work. I've tried to use the manager through the browser but that doesn't seem to deliver the possibility to setup those restriction. Can somebody please give me a detailed walkthrough on how to achieve this? I'm using TomCat 6.0, JVM 1.5.0_20 SUN and Windows XP 5.1.Thankyou very much in advance! Best regards, Kenneth Andersen k_k_ander...@hotmail.com
Re: Configure read/write-access in TomCat
On 18/08/2010 10:44, K A wrote: Hello I've developed a web-application in which I'd like to have some control of which resources are accessed by whom. My project is called Server in which I've got 3 directories: /user which all roles are allowed to access, /admin which ONLY administrators are allowed to access and resources in which I've got some files which users are allowed to read and administrators are allowed to both read and write. I'm using a FORM to login. The form action is POST and the action is j_security_check, the username field's name is j_username and the password field's is j_password. I've implemented a security-check in the jsp-file itself where I'm checking for the type of login the current user has. If the type is aproved then the user is allowed to access the page. But when I test the application and try to access the files in the other library then I've got access no matter what. This wasn't the intension. I've tried to follow several tutorials online but no matter what I can't get it to work ouf the right way. I've tried to configure the web.xml manually but it doesn't work. I've tried to use the manager through the browser but that doesn't seem to deliver the possibility to setup those restriction. What have you tried? Can somebody please give me a detailed walkthrough on how to achieve this? I'm using TomCat 6.0, JVM 1.5.0_20 SUN and Windows XP 5.1.Thankyou very much in advance! Why do people think it's called 'TomCat'? It's *Tomcat*. p Best regards, Kenneth Andersen k_k_ander...@hotmail.com 0x62590808.asc Description: application/pgp-keys signature.asc Description: OpenPGP digital signature
RE: Configure read/write-access in TomCat
In /tomcat/Webapps/Projectname/web-inf: I have inserted this part: /resource-ref - !--inserted from her -- - security-constraint - web-resource-collection web-resource-nameuser open part/web-resource-name url-pattern/Server/user/*/url-pattern /web-resource-collection - auth-constraint role-nameuser/role-name role-nameadmin/role-name /auth-constraint /security-constraint - security-constraint - web-resource-collection web-resource-nameadmin closed part/web-resource-name url-pattern/Server/admin/*/url-pattern /web-resource-collection - auth-constraint role-nameadmin/role-name /auth-constraint /security-constraint - login-config auth-methodFORM/auth-method - form-login-config form-login-page/Server/index.jsp/form-login-page form-error-page/Server/index.jsp/form-error-page /form-login-config /login-config - security-role role-nameadmin/role-name role-nameuser/role-name /security-role - !--inserted to here -- - servlet ... In /tomcat/Conf/web.xml: I have inserted this part: . !--inserted from here-- security-constraint web-resource-collection web-resource-nameuser open part/web-resource-name url-pattern/Server/user/*/url-pattern /web-resource-collection auth-constraint role-nameuser/role-name role-nameadmin/role-name /auth-constraint /security-constraint security-constraint web-resource-collection web-resource-nameadmin closed part/web-resource-name url-pattern/Server/admin/*/url-pattern /web-resource-collection auth-constraint role-nameadmin/role-name /auth-constraint /security-constraint login-config auth-methodFORM/auth-method form-login-config form-login-page/Server/index.jsp/form-login-page form-error-page/Server/index.jsp/form-error-page /form-login-config /login-config security-role role-nameadmin/role-name role-nameuser/role-name /security-role !--inserted to here-- servlet servlet-namedefault/servlet-name servlet-classorg.apache.catalina.servlets.DefaultServlet/servlet-class init-param .. Date: Wed, 18 Aug 2010 12:00:39 +0100 From: p...@pidster.com To: users@tomcat.apache.org Subject: Re: Configure read/write-access in TomCat On 18/08/2010 10:44, K A wrote: Hello I've developed a web-application in which I'd like to have some control of which resources are accessed by whom. My project is called Server in which I've got 3 directories: /user which all roles are allowed to access, /admin which ONLY administrators are allowed to access and resources in which I've got some files which users are allowed to read and administrators are allowed to both read and write. I'm using a FORM to login. The form action is POST and the action is j_security_check, the username field's name is j_username and the password field's is j_password. I've implemented a security-check in the jsp-file itself where I'm checking for the type of login the current user has. If the type is aproved then the user is allowed to access the page. But when I test the application and try to access the files in the other library then I've got access no matter what. This wasn't the intension. I've tried to follow several tutorials online but no matter what I can't get it to work ouf the right way. I've tried to configure the web.xml manually but it doesn't work. I've tried to use the manager through the browser but that doesn't seem to deliver the possibility to setup those restriction. What have you tried? Can somebody please give me a detailed walkthrough on how to achieve this? I'm using TomCat 6.0, JVM 1.5.0_20 SUN and Windows XP 5.1.Thankyou very much in advance! Why do people think it's called 'TomCat'? It's *Tomcat*. p Best regards, Kenneth Andersen k_k_ander...@hotmail.com
Re: Configure read/write-access in TomCat
K A wrote: Hello I've developed a web-application in which I'd like to have some control of which resources are accessed by whom. My project is called Server in which I've got 3 directories: /user which all roles are allowed to access, /admin which ONLY administrators are allowed to access and resources in which I've got some files which users are allowed to read and administrators are allowed to both read and write. What do you mean by write ? There is nothing in tomcat itself which allows users to write anywhere on the server. If it is your application which allows some users to do that, then it belongs to your application to check their permissions to do so. I'm using a FORM to login. The form action is POST and the action is j_security_check, the username field's name is j_username and the password field's is j_password. I've implemented a security-check in the jsp-file itself where I'm checking for the type of login the current user has. If the type is aproved then the user is allowed to access the page. That is all very nice, but mostly irrelevant. The important thing here is that your application would know who the user is, if it wants to control access to some functions in function of the user. But when I test the application and try to access the files in the other library then I've got access no matter what. This wasn't the intension. ... Can somebody please give me a detailed walkthrough on how to achieve this? I believe that for that, you'll have to be prepared to pay someone. To say the above in another way : in tomcat itself, there is no mechanism for allowing a user to upload anything and write it somewhere on the server. So you will not find anything in the tomcat documentation which explains how to do what you want. You will have to look for a separate web application which does that. And such an application would most probably contain some form of a permissions mechanism. One such application is DAV, which used to be included in the tomcat sample applications. If you use the Find Page button in the FAQ, and enter DAV, it shows some links which might help you. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Configure read/write-access in TomCat
On 18/08/2010 12:16, K A wrote: In /tomcat/Webapps/Projectname/web-inf: Capitals matter. WEB-INF is the correct directory name. I have inserted this part: - !--inserted from her -- - security-constraint - web-resource-collection web-resource-nameuser open part/web-resource-name url-pattern/Server/user/*/url-pattern /web-resource-collection - auth-constraint role-nameuser/role-name role-nameadmin/role-name /auth-constraint /security-constraint - security-constraint - web-resource-collection web-resource-nameadmin closed part/web-resource-name url-pattern/Server/admin/*/url-pattern /web-resource-collection - auth-constraint role-nameadmin/role-name /auth-constraint /security-constraint - login-config auth-methodFORM/auth-method - form-login-config form-login-page/Server/index.jsp/form-login-page form-error-page/Server/index.jsp/form-error-page Paths are relative, I'd also recommend putting two separate files in an location that can't be directly requested. e.g. /WEB-INF/login/form.jsp /WEB-INF/login/error.jsp /form-login-config /login-config - security-role role-nameadmin/role-name role-nameuser/role-name /security-role - !--inserted to here -- - servlet ... In /tomcat/Conf/web.xml: Don't do that. Also, it should be 'conf'. p I have inserted this part: . !--inserted from here-- security-constraint web-resource-collection web-resource-nameuser open part/web-resource-name url-pattern/Server/user/*/url-pattern /web-resource-collection auth-constraint role-nameuser/role-name role-nameadmin/role-name /auth-constraint /security-constraint security-constraint web-resource-collection web-resource-nameadmin closed part/web-resource-name url-pattern/Server/admin/*/url-pattern /web-resource-collection auth-constraint role-nameadmin/role-name /auth-constraint /security-constraint login-config auth-methodFORM/auth-method form-login-config form-login-page/Server/index.jsp/form-login-page form-error-page/Server/index.jsp/form-error-page /form-login-config /login-config security-role role-nameadmin/role-name role-nameuser/role-name /security-role !--inserted to here-- servlet servlet-namedefault/servlet-name servlet-classorg.apache.catalina.servlets.DefaultServlet/servlet-class init-param .. Date: Wed, 18 Aug 2010 12:00:39 +0100 From: p...@pidster.com To: users@tomcat.apache.org Subject: Re: Configure read/write-access in TomCat On 18/08/2010 10:44, K A wrote: Hello I've developed a web-application in which I'd like to have some control of which resources are accessed by whom. My project is called Server in which I've got 3 directories: /user which all roles are allowed to access, /admin which ONLY administrators are allowed to access and resources in which I've got some files which users are allowed to read and administrators are allowed to both read and write. I'm using a FORM to login. The form action is POST and the action is j_security_check, the username field's name is j_username and the password field's is j_password. I've implemented a security-check in the jsp-file itself where I'm checking for the type of login the current user has. If the type is aproved then the user is allowed to access the page. But when I test the application and try to access the files in the other library then I've got access no matter what. This wasn't the intension. I've tried to follow several tutorials online but no matter what I can't get it to work ouf the right way. I've tried to configure the web.xml manually but it doesn't work. I've tried to use the manager through the browser but that doesn't seem to deliver the possibility to setup those restriction. What have you tried? Can somebody please give me a detailed walkthrough on how to achieve this? I'm using TomCat 6.0, JVM 1.5.0_20 SUN and Windows XP 5.1.Thankyou very much in advance! Why do people think it's called 'TomCat'? It's *Tomcat*. p Best regards, Kenneth Andersen k_k_ander...@hotmail.com 0x62590808.asc Description: application/pgp-keys signature.asc Description: OpenPGP digital signature
RE: Configure read/write-access in TomCat
Oh, really? I just guessed that if the user could see the absolute url to used/available files in the application (jsp- or pdf-files) then it was also possible that the user could compromise the files in that directory, overwrite them or even save new files. But you state that users can NOT save new files in a directory. Then they can NOT do any of the other stated actions, right? Or have I misunderstood? Thanks! Date: Wed, 18 Aug 2010 13:32:00 +0200 From: a...@ice-sa.com To: users@tomcat.apache.org Subject: Re: Configure read/write-access in TomCat K A wrote: Hello I've developed a web-application in which I'd like to have some control of which resources are accessed by whom. My project is called Server in which I've got 3 directories: /user which all roles are allowed to access, /admin which ONLY administrators are allowed to access and resources in which I've got some files which users are allowed to read and administrators are allowed to both read and write. What do you mean by write ? There is nothing in tomcat itself which allows users to write anywhere on the server. If it is your application which allows some users to do that, then it belongs to your application to check their permissions to do so. I'm using a FORM to login. The form action is POST and the action is j_security_check, the username field's name is j_username and the password field's is j_password. I've implemented a security-check in the jsp-file itself where I'm checking for the type of login the current user has. If the type is aproved then the user is allowed to access the page. That is all very nice, but mostly irrelevant. The important thing here is that your application would know who the user is, if it wants to control access to some functions in function of the user. But when I test the application and try to access the files in the other library then I've got access no matter what. This wasn't the intension. ... Can somebody please give me a detailed walkthrough on how to achieve this? I believe that for that, you'll have to be prepared to pay someone. To say the above in another way : in tomcat itself, there is no mechanism for allowing a user to upload anything and write it somewhere on the server. So you will not find anything in the tomcat documentation which explains how to do what you want. You will have to look for a separate web application which does that. And such an application would most probably contain some form of a permissions mechanism. One such application is DAV, which used to be included in the tomcat sample applications. If you use the Find Page button in the FAQ, and enter DAV, it shows some links which might help you. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Configure read/write-access in TomCat
Ah, so the web.xaml in /tomcat/conf has nothing to do with the issue - it's only the web.xml in the project itself? I just read that tomcat do not allow write-access to directories. So I guess my main issue in my question is of no concern then as the users don't have any rights to access the files in the actual directory unless the files are access through a servlet of jsp-page in this case? Date: Wed, 18 Aug 2010 13:13:55 +0100 From: p...@pidster.com To: users@tomcat.apache.org Subject: Re: Configure read/write-access in TomCat On 18/08/2010 12:16, K A wrote: In /tomcat/Webapps/Projectname/web-inf: Capitals matter. WEB-INF is the correct directory name. I have inserted this part: - !--inserted from her -- - security-constraint - web-resource-collection web-resource-nameuser open part/web-resource-name url-pattern/Server/user/*/url-pattern /web-resource-collection - auth-constraint role-nameuser/role-name role-nameadmin/role-name /auth-constraint /security-constraint - security-constraint - web-resource-collection web-resource-nameadmin closed part/web-resource-name url-pattern/Server/admin/*/url-pattern /web-resource-collection - auth-constraint role-nameadmin/role-name /auth-constraint /security-constraint - login-config auth-methodFORM/auth-method - form-login-config form-login-page/Server/index.jsp/form-login-page form-error-page/Server/index.jsp/form-error-page Paths are relative, I'd also recommend putting two separate files in an location that can't be directly requested. e.g. /WEB-INF/login/form.jsp /WEB-INF/login/error.jsp /form-login-config /login-config - security-role role-nameadmin/role-name role-nameuser/role-name /security-role - !--inserted to here -- - servlet ... In /tomcat/Conf/web.xml: Don't do that. Also, it should be 'conf'. p I have inserted this part: . !--inserted from here-- security-constraint web-resource-collection web-resource-nameuser open part/web-resource-name url-pattern/Server/user/*/url-pattern /web-resource-collection auth-constraint role-nameuser/role-name role-nameadmin/role-name /auth-constraint /security-constraint security-constraint web-resource-collection web-resource-nameadmin closed part/web-resource-name url-pattern/Server/admin/*/url-pattern /web-resource-collection auth-constraint role-nameadmin/role-name /auth-constraint /security-constraint login-config auth-methodFORM/auth-method form-login-config form-login-page/Server/index.jsp/form-login-page form-error-page/Server/index.jsp/form-error-page /form-login-config /login-config security-role role-nameadmin/role-name role-nameuser/role-name /security-role !--inserted to here-- servlet servlet-namedefault/servlet-name servlet-classorg.apache.catalina.servlets.DefaultServlet/servlet-class init-param .. Date: Wed, 18 Aug 2010 12:00:39 +0100 From: p...@pidster.com To: users@tomcat.apache.org Subject: Re: Configure read/write-access in TomCat On 18/08/2010 10:44, K A wrote: Hello I've developed a web-application in which I'd like to have some control of which resources are accessed by whom. My project is called Server in which I've got 3 directories: /user which all roles are allowed to access, /admin which ONLY administrators are allowed to access and resources in which I've got some files which users are allowed to read and administrators are allowed to both read and write. I'm using a FORM to login. The form action is POST and the action is j_security_check, the username field's name is j_username and the password field's is j_password. I've implemented a security-check in the jsp-file itself where I'm checking for the type of login the current user has. If the type is aproved then the user is allowed to access the page. But when I test the application and try to access the files in the other library then I've got access no matter what. This wasn't the intension. I've tried to follow several tutorials online but no matter what I can't get it to work ouf the right way. I've tried to configure the web.xml manually but it doesn't work. I've tried to use the manager through the browser but that doesn't seem to deliver
Re: Configure read/write-access in TomCat
K A wrote: Oh, really? I just guessed that if the user could see the absolute url to used/available files in the application (jsp- or pdf-files) then it was also possible that the user could compromise the files in that directory, overwrite them or even save new files. But you state that users can NOT save new files in a directory. Then they can NOT do any of the other stated actions, right? Or have I misunderstood? Unless users have access to these directories/files by another way than through Tomcat, there is no way for them, using Tomcat, to modify any of these directories/files, even if they can see them through their web browser and Tomcat. Unless one of your Tomcat-based applications allows them to do that of course. An example of how users could modify those files : if the directories where those files are, are shared as network directories, and users have direct access to these directories through e.g. Windows Explorer, then of course there is nothing that Tomcat can do to protect them. Maybe to clarify another aspect : The Tomcat process itself runs under some user-id. All web applications running under Tomcat run as this same user-id. It does not matter which web user is accessing the Tomcat application; any file access by a Tomcat web application always happens under the user-id of Tomcat. The web user's user-id is purely a matter for Tomcat, to allow/disallow access to some resource and return a copy of it to the user through HTTP, or return a forbidden response. But when Tomcat reads the resource from disk, it always reads it as tomcat (that is, the user-id under which tomcat is started). - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Configure read/write-access in TomCat
K A wrote: Ah, so the web.xaml in /tomcat/conf has nothing to do with the issue - it's only the web.xml in the project itself? The conf/web.xml is the web.xml for the default servlet. The webapps/your-webapp/WEB-INF/web.xml is the one that dictates what happens when users access /your-webapp/*. When Tomcat processes a request, it will first look at the URL and determine to which webapp (or context) it should pass the request. Say the URL is /your-webapp/some-document.txt. Tomcat will look at the file webapps/your-webapp/WEB-INF/web.xml, to see if there is any mapping there that assigns /some-document.txt to some servlet or JSP page inside your-webapp. If it finds one, then it will invoke that servlet/JSP, and pass the request to it. If Tomcat does not find any mapping inside that application's web.xml file that is applicable to /some-document.txt, then it will look into the conf/web.xml file to find an appropriate mapping. If it finds one (which it always does) then it will invoke its default servlet to handle this call. The default servlet is essentially one that will look onto the filesystem for a file named (tomcat-dir)/webapps/your-webapp/some-document.txt, and return a copy as is to the browser. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Configure read/write-access in TomCat
K A wrote: Ah, so the web.xaml in /tomcat/conf has nothing to do with the issue - it's only the web.xml in the project itself? The conf/web.xml is the web.xml for the default servlet. The webapps/your-webapp/WEB-INF/web.xml is the one that dictates what happens when users access /your-webapp/*. When Tomcat processes a request, it will first look at the URL and determine to which webapp (or context) it should pass the request. Say the URL is /your-webapp/some-document.txt. Tomcat will look at the file webapps/your-webapp/WEB-INF/web.xml, to see if there is any mapping there that assigns /some-document.txt to some servlet or JSP page inside your-webapp. If it finds one, then it will invoke that servlet/JSP, and pass the request to it. If Tomcat does not find any mapping inside that application's web.xml file that is applicable to /some-document.txt, then it will look into the conf/web.xml file to find an appropriate mapping. If it finds one (which it always does) then it will invoke its default servlet to handle this call. The default servlet is essentially one that will look onto the filesystem for a file named (tomcat-dir)/webapps/your-webapp/some-document.txt, and return a copy as is to the browser. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Configure read/write-access in Tomcat
On 18/08/2010 14:06, K A wrote: Ah, so the web.xaml in /tomcat/conf has nothing to do with the issue - it's only the web.xml in the project itself? Authentication should be configured on an app-by-app basis, not in the default web.xml, so yes, that's correct. I just read that tomcat do not allow write-access to directories. Why would it? Special configuration/functionality is, as André explained, required to enable such a function on most web servers, Tomcat is no exception. So I guess my main issue in my question is of no concern then as the users don't have any rights to access the files in the actual directory unless the files are access through a servlet of jsp-page in this case? Depending on whether your understanding of 'Access' is the same one as the rest of us are using. Web servers publish files to everyone (unless you restrict access), but don't allow those files to be edited (unless you enable it). If you want your user admin roles to restrict the read access, employ the correct configuration as below. p On 18/08/2010 12:16, K A wrote: In /tomcat/Webapps/Projectname/web-inf: Capitals matter. WEB-INF is the correct directory name. I have inserted this part: - !--inserted from her -- - security-constraint - web-resource-collection web-resource-nameuser open part/web-resource-name url-pattern/Server/user/*/url-pattern /web-resource-collection - auth-constraint role-nameuser/role-name role-nameadmin/role-name /auth-constraint /security-constraint - security-constraint - web-resource-collection web-resource-nameadmin closed part/web-resource-name url-pattern/Server/admin/*/url-pattern /web-resource-collection - auth-constraint role-nameadmin/role-name /auth-constraint /security-constraint - login-config auth-methodFORM/auth-method - form-login-config form-login-page/Server/index.jsp/form-login-page form-error-page/Server/index.jsp/form-error-page Paths are relative, I'd also recommend putting two separate files in an location that can't be directly requested. e.g. /WEB-INF/login/form.jsp /WEB-INF/login/error.jsp /form-login-config /login-config - security-role role-nameadmin/role-name role-nameuser/role-name /security-role - !--inserted to here -- - servlet ... In /tomcat/Conf/web.xml: Don't do that. Also, it should be 'conf'. p I have inserted this part: . !--inserted from here-- security-constraint web-resource-collection web-resource-nameuser open part/web-resource-name url-pattern/Server/user/*/url-pattern /web-resource-collection auth-constraint role-nameuser/role-name role-nameadmin/role-name /auth-constraint /security-constraint security-constraint web-resource-collection web-resource-nameadmin closed part/web-resource-name url-pattern/Server/admin/*/url-pattern /web-resource-collection auth-constraint role-nameadmin/role-name /auth-constraint /security-constraint login-config auth-methodFORM/auth-method form-login-config form-login-page/Server/index.jsp/form-login-page form-error-page/Server/index.jsp/form-error-page /form-login-config /login-config security-role role-nameadmin/role-name role-nameuser/role-name /security-role !--inserted to here-- servlet servlet-namedefault/servlet-name servlet-classorg.apache.catalina.servlets.DefaultServlet/servlet-class init-param .. Date: Wed, 18 Aug 2010 12:00:39 +0100 From: p...@pidster.com To: users@tomcat.apache.org Subject: Re: Configure read/write-access in TomCat On 18/08/2010 10:44, K A wrote: Hello I've developed a web-application in which I'd like to have some control of which resources are accessed by whom. My project is called Server in which I've got 3 directories: /user which all roles are allowed to access, /admin which ONLY administrators are allowed to access and resources in which I've got some files which users are allowed to read and administrators are allowed to both read and write. I'm using a FORM to login. The form action is POST and the action is j_security_check, the username field's name is j_username and the password field's is j_password. I've implemented a security-check in the jsp-file itself where I'm checking for the type of login the current user has. If the type is aproved then the user is allowed to access the page. But when I test the application and try to access the files in the other library then I've got access no matter what
RE: Configure read/write-access in TomCat
From: André Warnier [mailto:a...@ice-sa.com] Subject: Re: Configure read/write-access in TomCat The conf/web.xml is the web.xml for the default servlet. It's a bit more than that, actually. The contents of conf/web.xml are logically merged into a webapp's own WEB-INF/web.xml when the webapp is deployed. Changing conf/web.xml effectively changes every deployed webapp, which is rarely desirable. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Configure read/write-access in TomCat
On 18/08/2010 14:56, Caldarale, Charles R wrote: From: André Warnier [mailto:a...@ice-sa.com] Subject: Re: Configure read/write-access in TomCat The conf/web.xml is the web.xml for the default servlet. It's a bit more than that, actually. The contents of conf/web.xml are logically merged into a webapp's own WEB-INF/web.xml when the webapp is deployed. Changing conf/web.xml effectively changes every deployed webapp, which is rarely desirable. N.B. It's well commented and worth reading. p THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org 0x62590808.asc Description: application/pgp-keys signature.asc Description: OpenPGP digital signature
Re: Configure read/write-access in TomCat
Pid wrote: On 18/08/2010 14:56, Caldarale, Charles R wrote: From: André Warnier [mailto:a...@ice-sa.com] Subject: Re: Configure read/write-access in TomCat The conf/web.xml is the web.xml for the default servlet. It's a bit more than that, actually. The contents of conf/web.xml are logically merged into a webapp's own WEB-INF/web.xml when the webapp is deployed. Changing conf/web.xml effectively changes every deployed webapp, which is rarely desirable. N.B. It's well commented and worth reading. Would you gurus mind pointing out where exactly ? I am looking at the online documentation of Tomcat 7, at http://tomcat.apache.org/tomcat-7.0-doc/index.html, and not finding it. I am also having trouble finding it in the Servlet Specifications v 3.0 (I mean specifically where it says that the default web.xml is being merged with the application-specific web.xml.) If you refer to the content itself of the conf/web.xml file, here is all it has to say : !-- Introduction == -- !-- This document defines default values for *all* web applications -- !-- loaded into this instance of Tomcat. As each application is -- !-- deployed, this file is processed, followed by the-- !-- /WEB-INF/web.xml deployment descriptor from your own -- !-- applications.-- !-- -- For example, it does not clearly speak of merging, nor in case of merge which possibly overlapping or conflicting directive has precedence (one wopuld presume the webapp, but then presumptions are sometimes misleading). By the way, according to http://tomcat.apache.org/whichversion.html, Tomcat 7 follows the Servlet Spec 3.0. But in most of the online documentation, it refers only to earlier versions of the specs, like here : http://tomcat.apache.org/tomcat-7.0-doc/index.html And as long that I'm at it, following the link Introduction on this last page, one comes to a page (http://tomcat.apache.org/tomcat-7.0-doc/introduction.html), where the paragraph Terminology is all but enlightening.. (but has been that way since a few versions, so maybe it is I who fails to understand the subtlety of it's formulation) - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Configure read/write-access in TomCat
18.08.2010 16:55, André Warnier: Pid wrote: On 18/08/2010 14:56, Caldarale, Charles R wrote: From: André Warnier [mailto:a...@ice-sa.com] Subject: Re: Configure read/write-access in TomCat The conf/web.xml is the web.xml for the default servlet. It's a bit more than that, actually. The contents of conf/web.xml are logically merged into a webapp's own WEB-INF/web.xml when the webapp is deployed. Changing conf/web.xml effectively changes every deployed webapp, which is rarely desirable. N.B. It's well commented and worth reading. Would you gurus mind pointing out where exactly ? I am looking at the online documentation of Tomcat 7, at http://tomcat.apache.org/tomcat-7.0-doc/index.html, and not finding it. From http://tomcat.apache.org/tomcat-7.0-doc/config/context.html#Introduction | Context elements may be explicitly defined: | | * In the $CATALINA_BASE/conf/context.xml file: the Context element information will be loaded by all webapps. | [...] I am also having trouble finding it in the Servlet Specifications v 3.0 AFAIK that's Tomcat-specific and has nothing to do with the spec. (I mean specifically where it says that the default web.xml is being merged with the application-specific web.xml.) If you refer to the content itself of the conf/web.xml file, here is all it has to say : !-- Introduction == -- !-- This document defines default values for *all* web applications -- !-- loaded into this instance of Tomcat. As each application is -- !-- deployed, this file is processed, followed by the -- !-- /WEB-INF/web.xml deployment descriptor from your own -- !-- applications. -- !-- -- For example, it does not clearly speak of merging, Well, Chuck simply used the term merge to explain how things are. Of course, since it's Chuck, it could be seen as a specification ;-) nor in case of merge which possibly overlapping or conflicting directive has precedence (one wopuld presume the webapp, but then presumptions are sometimes misleading). I didn't find that explicitly stated in the docs either. -- Regards mks - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Configure read/write-access in TomCat
From: André Warnier [mailto:a...@ice-sa.com] Subject: Re: Configure read/write-access in TomCat Would you gurus mind pointing out where exactly ? Not sure what you want pointed out. I am looking at the online documentation of Tomcat 7, at http://tomcat.apache.org/tomcat-7.0-doc/index.html, and not finding it. What is it? I am also having trouble finding it in the Servlet Specifications v 3.0 (I mean specifically where it says that the default web.xml is being merged with the application-specific web.xml.) That won't be in the spec - it's a characteristic of Tomcat. Other containers operate differently. If you refer to the content itself of the conf/web.xml file That's what Pid was talking about. here is all it has to say : This document defines default values for *all* web applications loaded into this instance of Tomcat. As each application is deployed, this file is processed, followed by the /WEB-INF/web.xml deployment descriptor from your own applications. That's the key information. For example, it does not clearly speak of merging, nor in case of merge which possibly overlapping or conflicting directive has precedence (one wopuld presume the webapp, but then presumptions are sometimes misleading). Yes, the settings in the webapp's WEB-INF/web.xml override those in the global. I can't find any explicit statement to that effect either, but that is how it works. By the way, according to http://tomcat.apache.org/whichversion.html, Tomcat 7 follows the Servlet Spec 3.0. But in most of the online documentation, it refers only to earlier versions of the specs, like here : http://tomcat.apache.org/tomcat-7.0-doc/index.html Patches are always welcome. And as long that I'm at it, following the link Introduction on this last page, one comes to a page where the paragraph Terminology is all but enlightening.. Do you know anyone who actually likes to write documentation? - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Configure read/write-access in TomCat
Comments at end. Caldarale, Charles R wrote: From: André Warnier [mailto:a...@ice-sa.com] Subject: Re: Configure read/write-access in TomCat Would you gurus mind pointing out where exactly ? Not sure what you want pointed out. I am looking at the online documentation of Tomcat 7, at http://tomcat.apache.org/tomcat-7.0-doc/index.html, and not finding it. What is it? I am also having trouble finding it in the Servlet Specifications v 3.0 (I mean specifically where it says that the default web.xml is being merged with the application-specific web.xml.) That won't be in the spec - it's a characteristic of Tomcat. Other containers operate differently. If you refer to the content itself of the conf/web.xml file That's what Pid was talking about. here is all it has to say : This document defines default values for *all* web applications loaded into this instance of Tomcat. As each application is deployed, this file is processed, followed by the /WEB-INF/web.xml deployment descriptor from your own applications. That's the key information. For example, it does not clearly speak of merging, nor in case of merge which possibly overlapping or conflicting directive has precedence (one wopuld presume the webapp, but then presumptions are sometimes misleading). Yes, the settings in the webapp's WEB-INF/web.xml override those in the global. I can't find any explicit statement to that effect either, but that is how it works. Ok, can I then summarise this by now slightly but not quite off-topic series of messages by saying that, contrary to what some previous answers would imply, the process by which Tomcat, for each deplayed webapp, first reads and processes the conf/web.xml, then reads and processes the applications WEB-INF/web.xml, and then merges both according to some internal logic, is specific to Tomcat, and is NOT very well documented at present in the on-line documentation ? ... Do you know anyone who actually likes to write documentation? Well actually I do. But it this case, I have a number of impediments : - I do not know enough of Tomcat and even Java to write something coherent and correct - I find the process of contributing Tomcat documentation changes rather overwhelming, technically speaking. (Which I guess explains also why not many other people feel like correcting the docs.) But let's suppose that I would try to write a summary of this process. Where would it fit in the documentation ? And whereabout would I find the original Tomcat code which does this, on the off-chance I might actually understand it enough to write something not totally wrong ? Or, might the process better be described as : As Tomcat deploys each web application, it first installs the default servlet and its associated web.xml descriptor CATALINA_BASE/conf/web.xml for this web application, then it overrides this setup by any servlets and descriptor (application/WEB-INF/web.xml) provided by the application itself (if any). In case of overlapping or conflicting settings, the web application specific settings have precedence. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Configure read/write-access in TomCat
-Original Message- From: André Warnier [mailto:a...@ice-sa.com] Subject: Re: Configure read/write-access in TomCat Comments at end. Caldarale, Charles R wrote: Do you know anyone who actually likes to write documentation? André Warnier wrote: Well actually I do. But it this case, I have a number of impediments : - I do not know enough of Tomcat and even Java to write something coherent and correct - I find the process of contributing Tomcat documentation changes rather overwhelming, technically speaking. (Which I guess explains also why not many other people feel like correcting the docs.) But let's suppose that I would try to write a summary of this process. Where would it fit in the documentation ? And whereabout would I find the original Tomcat code which does this, on the off-chance I might actually understand it enough to write something not totally wrong? Or, might the process better be described as : As Tomcat deploys each web application, it first installs the default servlet and its associated web.xml descriptor CATALINA_BASE/conf/web.xml for this web application, then it overrides this setup by any servlets and descriptor (application/WEB- INF/web.xml) provided by the application itself (if any). In case of overlapping or conflicting settings, the web application specific settings have precedence. http://tomcat.apache.org/tomcat-6.0-doc/architecture/startup/serverStartup.txt Sequence 2. c) c)3 - the last sentence. Obviously, this is supposedly for Tomcat 6, but the doc reads Tomcat 5 Startup Sequence. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Configure read/write-access in TomCat
From: André Warnier [mailto:a...@ice-sa.com] Subject: Re: Configure read/write-access in TomCat the process by which Tomcat, for each deplayed webapp, first reads and processes the conf/web.xml, then reads and processes the applications WEB-INF/web.xml, and then merges both according to some internal logic, is specific to Tomcat, and is NOT very well documented at present in the on-line documentation ? I don't think I'd say it's not well documented, but the documentation is not sufficiently detailed to cover all possibilities. Well actually I do. I'm shocked :-) - I do not know enough of Tomcat and even Java to write something coherent and correct Java knowledge isn't required here. - I find the process of contributing Tomcat documentation changes rather overwhelming, technically speaking. I'd agree it's a bit obtuse for the first-timer. And whereabout would I find the original Tomcat code which does this, on the off-chance I might actually understand it enough to write something not totally wrong ? I'd start here: org/apache/catalina/startup/ContextConfig.java org/apache/catalina/core/StandardContext.java Or, might the process better be described as : As Tomcat deploys each web application, it first installs the default servlet and its associated web.xml descriptor CATALINA_BASE/conf/web.xml for this web application, then it overrides this setup by any servlets and descriptor (application/WEB-INF/web.xml) provided by the application itself (if any). In case of overlapping or conflicting settings, the web application specific settings have precedence. The word installs is inappropriate, as is the focus on the default servlet. There are several servlets defined in conf/web.xml (the DefaultServlet being just one of them), along with quite a bit of other tidbits such as welcome files and MIME mappings. Deployment does not involve installing servlets, but rather building name space maps to translate URLs into classes, along with processing all the other junk in web.xml and the Context element. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Configure read/write-access in TomCat
Caldarale, Charles R wrote: From: André Warnier [mailto:a...@ice-sa.com] Subject: Re: Configure read/write-access in TomCat the process by which Tomcat, for each deplayed webapp, first reads and processes the conf/web.xml, then reads and processes the applications WEB-INF/web.xml, and then merges both according to some internal logic, is specific to Tomcat, and is NOT very well documented at present in the on-line documentation ? I don't think I'd say it's not well documented, but the documentation is not sufficiently detailed to cover all possibilities. Well actually I do. I'm shocked :-) - I do not know enough of Tomcat and even Java to write something coherent and correct Java knowledge isn't required here. - I find the process of contributing Tomcat documentation changes rather overwhelming, technically speaking. I'd agree it's a bit obtuse for the first-timer. And whereabout would I find the original Tomcat code which does this, on the off-chance I might actually understand it enough to write something not totally wrong ? I'd start here: org/apache/catalina/startup/ContextConfig.java org/apache/catalina/core/StandardContext.java Or, might the process better be described as : As Tomcat deploys each web application, it first installs the default servlet and its associated web.xml descriptor CATALINA_BASE/conf/web.xml for this web application, then it overrides this setup by any servlets and descriptor (application/WEB-INF/web.xml) provided by the application itself (if any). In case of overlapping or conflicting settings, the web application specific settings have precedence. The word installs is inappropriate, as is the focus on the default servlet. There are several servlets defined in conf/web.xml (the DefaultServlet being just one of them), along with quite a bit of other tidbits such as welcome files and MIME mappings. Deployment does not involve installing servlets, but rather building name space maps to translate URLs into classes, along with processing all the other junk in web.xml and the Context element. The previous paragraph is right on the spot, to explain why I feel that I am lacking some baggage here. I was more thinking of an explanation for the common man, you know, sysadmin-like. But yours has potential. Maybe we could collaborate on this ? Like, you write the real accurate technical explanation, and I translate into common international English ? ;-) - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Configure read/write-access in TomCat
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Mr. Andersen, On 8/18/2010 7:16 AM, K A wrote: security-constraint web-resource-collection web-resource-nameuser open part/web-resource-name url-pattern/Server/user/*/url-pattern /web-resource-collection auth-constraint role-nameuser/role-name role-nameadmin/role-name /auth-constraint /security-constraint Your URL pattern is wrong: the URL should be relative to the context, not to the server. Presumably, your webapp's name is Server, and the context path is /Server. That means that your URL pattern ought to be: url-pattern/user/*/url-pattern I couldn't see if anyone actually answered your question, here, or just argued about how well-documented conf/web.xml was. Hope that helps. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkxsn7YACgkQ9CaO5/Lv0PD8wQCgqhQO4lZakkFERdZuoOEWOHih TXwAn1wbwPsnpxnV8a92qjjAtR0tWSJt =P2ht -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Configure read/write-access in TomCat
On Wed, Aug 18, 2010 at 8:06 PM, Christopher Schultz ch...@christopherschultz.net wrote: I couldn't see if anyone actually answered your question, here, or just argued about how well-documented conf/web.xml was. Wait, what, those aren't the same? :-) -- Hassan Schroeder hassan.schroe...@gmail.com twitter: @hassan - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org