RE: [newbie] Container Managed Security - preventing direct accessto .jsp
Thanks for the help and discussion Ben. /robert Yep, they look the same. Glad to help, even if I've done nothing more than validate your assumptions ;) - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [newbie] Container Managed Security - preventing direct accessto .jsp
That is exactly how I want to do it. In fact, if you look at my original message I describe what you recommend almost exactly. Anyhow, I finally created a VERY simple security example web app with the following web.xml: ?xml version=1.0 encoding=ISO-8859-1? web-app xmlns=http://java.sun.com/xml/ns/j2ee; xmlns:xsi=http://www.w3.org/2001/XMLSchema-instance; xsi:schemaLocation=http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd; version=2.4 descriptionSimple Security Example/description display-nameSimple Security Example/display-name welcome-file-list welcome-fileindex.jsp/welcome-file /welcome-file-list error-page error-code403/error-code location/403.jsp/location /error-page security-constraint display-nameExample Security Constraint/display-name web-resource-collection web-resource-nameProtected Area/web-resource-name url-pattern/secure/*/url-pattern /web-resource-collection auth-constraint/ /security-constraint /web-app And it work! Yeeeha! Thanks for the help and discussion Ben. /robert -Original Message- From: Ben Souther [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 14, 2004 10:35 PM To: Tomcat Users List Subject: RE: [newbie] Container Managed Security - preventing direct accessto .jsp It appears that there is no standard way to do this even though it's implied in the spec. I don't know how standard this is but it works. The trick is in the auth-constraint node (note the commented out role-name). Since it is exclusive. Not declaring a role-name for the protected resource denies access to everyone. You then catch the 403 error with an error page mapping and you're good to go. The JSPs can still be accessed from the request dispatcher so you can reach them through the MVC pattern. I suppose a simpler solution would be simply to create a servelet-mapping with a url pattern of *.jsp and map it to an error servlet. If you want to test this out quickly grab the SimpleMVC.war from http://simple.souther.us and replace the web.xml file with this one. You'd have to create your own no-jsp-4-u.html page. Hope it helps -Ben ?xml version=1.0 encoding=ISO-8859-1? web-app xmlns=http://java.sun.com/xml/ns/j2ee; xmlns:xsi=http://www.w3.org/2001/XMLSchema-instance; xsi:schemaLocation=http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd; version=2.4 servlet servlet-name ControllerServlet /servlet-name servlet-class us.souther.simple.mvc.ControllerServlet/servlet-class /servlet servlet-mapping servlet-nameControllerServlet/servlet-name url-pattern/simple-mvc/url-pattern /servlet-mapping security-constraint web-resource-collection web-resource-name off-limits /web-resource-name url-pattern *.jsp /url-pattern /web-resource-collection auth-constraint !--role-name manager /role-name-- /auth-constraint /security-constraint error-page error-code403/error-code location/no-jsp-4-u.html/location /error-page /web-app - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [newbie] Container Managed Security - preventing direct accessto .jsp
Yes. That would be an alternative approach. However, I want to use CMS (Container Managed Security) to protect direct access to .jsp pages. This should be possible as per the Servlet specification. /robert -Original Message- From: Ben Souther [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 14, 2004 1:16 PM To: Tomcat Users List Subject: RE: [newbie] Container Managed Security - preventing direct accessto .jsp Filters are portable. On Tue, 2004-12-14 at 12:32, Robert Taylor wrote: Ping... Please let me know if this questions is just too obvious and I'll gladly RTFM...even more. And yes, I know this list is not here just to serve _my_ interests. It just seems like a common idiom to provide a portable mechanism for protecting direct access to .jsp so as to enforce access through some controller. I have in the past placed .jsp files behind WEB-INF, but I don't believe that is portable and would like to use CMS to achieve this. Thanks again. /robert -Original Message- From: Robert Taylor [mailto:[EMAIL PROTECTED] Sent: Monday, December 13, 2004 8:59 PM To: [EMAIL PROTECTED] Subject: [newbie] Container Managed Security - preventing direct access to .jsp Greetings, I'm new to Tomcat and this mailing list, and have a question regarding configuring Tomcat to simply disallow access to .jsp pages which I have been protected via the security-constraint/ in my web app web.xml file. From what I understand, the following should do the trick and cause a 403 error to be sent to the browser by the container. I would like to trap that error code and display a user friendly page (I chose any page so I would know it's working). I've simply modified the Tomcat jsp-examples web app. Here's a snippet of the necessary artifacts in the web.xml file. error-page error-code403/error-code location/dates/date.jsp/location /error-page security-constraint display-nameExample Security Constraint/display-name web-resource-collection web-resource-nameProtected Area/web-resource-name url-pattern/security/protected/*/url-pattern /web-resource-collection /security-constraint I believe the constraint is working, but I don't think the error-page/ is catching the 403 status code. This is probably because a 403 status code is not returned, but rather a 200 (I verified this by looking at the response headers). Anyhow, the content of the returned page is below within the content/: content You are logged in as remote user null in session D97EE937BEC953A7E82E42B3956AED86 No user principal could be identified. To check whether your username has been granted a particular role, enter it here: If you have configured this app for form-based authentication, you can log off by clicking here. This should cause you to be returned to the logon page after the redirect that is performed. /content I'm sure this has happened to someone else, I just cannot find where. I googled and didn't come up with much. I searched the archives using You are logged in as remote user null in session and no matches were found. Any help would be greatly appreciated. /robert - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]