Hi Angela, Not sure why it works fine with Tomcat 5 but followings is my view to the problem with the login page.
1. The security constraint for the images and CSS tells that the GET and HEAD methods to these resources ARE protected. 2. When you go to the login page, as it tries to get the protected images and stylesheet, Tomcat has to redirect the request back to the login page again. rgds, Jo.- ----- Original Message ----- From: "Angela Stempfel" <[EMAIL PROTECTED]> To: <tomcat-user@jakarta.apache.org> Sent: Friday, June 03, 2005 4:53 PM Subject: security constraints in tomcat 4.1.30 > Hello all > > I have a problem concerning Tomcat 4.1.30. In web.xml i defined several > security constraint. First of all I protected the whole application and > then I excluded the directories with images and css files. Furthermore I > defined some roles. > > <pre> > <security-constraint> > <display-name>TCE GUI</display-name> > <web-resource-collection> > <web-resource-name>WEBGui Area</web-resource-name> > <!-- Define the context-relative URL(s) to be protected --> > <url-pattern>/*</url-pattern> > </web-resource-collection> > <auth-constraint> > <!-- Anyone with one of the listed roles may access this area --> > <role-name>*</role-name> > </auth-constraint> > </security-constraint> > > <security-constraint> > <web-resource-collection> > <web-resource-name>Images and CSS Not Protected</web-resource-name> > <url-pattern>/images/*</url-pattern> > <url-pattern>/css/*</url-pattern> > <http-method>GET</http-method> > <http-method>HEAD</http-method> > </web-resource-collection> > </security-constraint> > > <security-constraint> > <display-name>DSLAM Configuration</display-name> > <web-resource-collection> > <web-resource-name> > Access to DSLAM Configuration > </web-resource-name> > <url-pattern>/DslamConfig/*</url-pattern> > </web-resource-collection> > <auth-constraint> > <role-name>dslamConfig</role-name> > </auth-constraint> > </security-constraint> > <login-config> > <auth-method>FORM</auth-method> > <form-login-config> > <form-login-page>/login.jsp</form-login-page> > <form-error-page>/login-error.jsp</form-error-page> > </form-login-config> > </login-config> > > <security-role> > <role-name>dslamConfig</role-name> > </security-role> > </pre> > > So my problem is that this works fine with Tomcat 5.0 but not with > Tomcat 4.1.30. If I go to the login page, the stylesheet and images are > not found when running the Application with version 4.1.30. Also the > Security Constraints are not working correctly, this means that a user > that hasn't the role "dslamConfig" is able to enter the following URL: > /DslamConfig/* > > Has anyone some ideas? > > Thanks a lot > Angela > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > > !DSPAM:429fffc716436437214267! > > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
