Re: security constraints in tomcat 4.1.30
Hi Angela, Not sure why it works fine with Tomcat 5 but followings is my view to the problem with the login page. 1. The security constraint for the images and CSS tells that the GET and HEAD methods to these resources ARE protected. 2. When you go to the login page, as it tries to get the protected images and stylesheet, Tomcat has to redirect the request back to the login page again. rgds, Jo.- - Original Message - From: Angela Stempfel [EMAIL PROTECTED] To: tomcat-user@jakarta.apache.org Sent: Friday, June 03, 2005 4:53 PM Subject: security constraints in tomcat 4.1.30 Hello all I have a problem concerning Tomcat 4.1.30. In web.xml i defined several security constraint. First of all I protected the whole application and then I excluded the directories with images and css files. Furthermore I defined some roles. pre security-constraint display-nameTCE GUI/display-name web-resource-collection web-resource-nameWEBGui Area/web-resource-name !-- Define the context-relative URL(s) to be protected -- url-pattern/*/url-pattern /web-resource-collection auth-constraint !-- Anyone with one of the listed roles may access this area -- role-name*/role-name /auth-constraint /security-constraint security-constraint web-resource-collection web-resource-nameImages and CSS Not Protected/web-resource-name url-pattern/images/*/url-pattern url-pattern/css/*/url-pattern http-methodGET/http-method http-methodHEAD/http-method /web-resource-collection /security-constraint security-constraint display-nameDSLAM Configuration/display-name web-resource-collection web-resource-name Access to DSLAM Configuration /web-resource-name url-pattern/DslamConfig/*/url-pattern /web-resource-collection auth-constraint role-namedslamConfig/role-name /auth-constraint /security-constraint login-config auth-methodFORM/auth-method form-login-config form-login-page/login.jsp/form-login-page form-error-page/login-error.jsp/form-error-page /form-login-config /login-config security-role role-namedslamConfig/role-name /security-role /pre So my problem is that this works fine with Tomcat 5.0 but not with Tomcat 4.1.30. If I go to the login page, the stylesheet and images are not found when running the Application with version 4.1.30. Also the Security Constraints are not working correctly, this means that a user that hasn't the role dslamConfig is able to enter the following URL: /DslamConfig/* Has anyone some ideas? Thanks a lot Angela - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] !DSPAM:429fffc716436437214267! - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
security constraints in tomcat 4.1.30
Hello all I have a problem concerning Tomcat 4.1.30. In web.xml i defined several security constraint. First of all I protected the whole application and then I excluded the directories with images and css files. Furthermore I defined some roles. pre security-constraint display-nameTCE GUI/display-name web-resource-collection web-resource-nameWEBGui Area/web-resource-name !-- Define the context-relative URL(s) to be protected -- url-pattern/*/url-pattern /web-resource-collection auth-constraint !-- Anyone with one of the listed roles may access this area -- role-name*/role-name /auth-constraint /security-constraint security-constraint web-resource-collection web-resource-nameImages and CSS Not Protected/web-resource-name url-pattern/images/*/url-pattern url-pattern/css/*/url-pattern http-methodGET/http-method http-methodHEAD/http-method /web-resource-collection /security-constraint security-constraint display-nameDSLAM Configuration/display-name web-resource-collection web-resource-name Access to DSLAM Configuration /web-resource-name url-pattern/DslamConfig/*/url-pattern /web-resource-collection auth-constraint role-namedslamConfig/role-name /auth-constraint /security-constraint login-config auth-methodFORM/auth-method form-login-config form-login-page/login.jsp/form-login-page form-error-page/login-error.jsp/form-error-page /form-login-config /login-config security-role role-namedslamConfig/role-name /security-role /pre So my problem is that this works fine with Tomcat 5.0 but not with Tomcat 4.1.30. If I go to the login page, the stylesheet and images are not found when running the Application with version 4.1.30. Also the Security Constraints are not working correctly, this means that a user that hasn't the role dslamConfig is able to enter the following URL: /DslamConfig/* Has anyone some ideas? Thanks a lot Angela - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: security constraints in tomcat 4.1.30
Angela Stempfel wrote: Hello all I have a problem concerning Tomcat 4.1.30. In web.xml i defined several security constraint. First of all I protected the whole application and then I excluded the directories with images and css files. Furthermore I defined some roles. snip So my problem is that this works fine with Tomcat 5.0 but not with Tomcat 4.1.30. If I go to the login page, the stylesheet and images are not found when running the Application with version 4.1.30. Also the Security Constraints are not working correctly, this means that a user that hasn't the role dslamConfig is able to enter the following URL: /DslamConfig/* Has anyone some ideas? You need to read section SRV.12.8 of both the servlet 2.3 spec and the servlet 2.4 spec. The way constraints are handled has changed. For example, spec-quote version=2.3 If the authorization constraint defines no roles, no user is allowed access to the portion of the web application defined by the security constraint. /spec-quote compared to spec-quote version=2.4 If no authorization constraint applies to a request, the container must accept the request without requiring user authentication. /spec-quote There is a fair amount of ambiguity in this area of the 2.3 spec, which is why it changed so much in 2.4 You should also be aware of http://issues.apache.org/bugzilla/show_bug.cgi?id=15570 Mark - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: security constraints in tomcat 4.1.30
Along with what Mark said, you should know that TC 4.1.30 stops checking after the *first* matching constraint (so in your case, the '/*' always wins). Try reversing the order of your constraints in web.xml. As Mark mentioned, this has changed in TC 5.x, and your web.xml should work as written. Angela Stempfel [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] Hello all I have a problem concerning Tomcat 4.1.30. In web.xml i defined several security constraint. First of all I protected the whole application and then I excluded the directories with images and css files. Furthermore I defined some roles. pre security-constraint display-nameTCE GUI/display-name web-resource-collection web-resource-nameWEBGui Area/web-resource-name !-- Define the context-relative URL(s) to be protected -- url-pattern/*/url-pattern /web-resource-collection auth-constraint !-- Anyone with one of the listed roles may access this area -- role-name*/role-name /auth-constraint /security-constraint security-constraint web-resource-collection web-resource-nameImages and CSS Not Protected/web-resource-name url-pattern/images/*/url-pattern url-pattern/css/*/url-pattern http-methodGET/http-method http-methodHEAD/http-method /web-resource-collection /security-constraint security-constraint display-nameDSLAM Configuration/display-name web-resource-collection web-resource-name Access to DSLAM Configuration /web-resource-name url-pattern/DslamConfig/*/url-pattern /web-resource-collection auth-constraint role-namedslamConfig/role-name /auth-constraint /security-constraint login-config auth-methodFORM/auth-method form-login-config form-login-page/login.jsp/form-login-page form-error-page/login-error.jsp/form-error-page /form-login-config /login-config security-role role-namedslamConfig/role-name /security-role /pre So my problem is that this works fine with Tomcat 5.0 but not with Tomcat 4.1.30. If I go to the login page, the stylesheet and images are not found when running the Application with version 4.1.30. Also the Security Constraints are not working correctly, this means that a user that hasn't the role dslamConfig is able to enter the following URL: /DslamConfig/* Has anyone some ideas? Thanks a lot Angela - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Security constraints for different contexts
Just wanted to ask this question again...does anyone have any ideas?? I'm really stuck here, any good tutorials or resources about security constraints would be helpful. All of the ones I've seen online only handle one constraint at a time, I've never seen how they work in terms of best match first or otherwise. Thanks, Rahman At 7/2/2004 11:47 AM, you wrote: Hello, I'm using Tomcat 5.0.25 and I'd like to use container-based security to restrict access to one specific page. The problem is that this page exists in different contexts, but using the same docbase. You can get a better idea by looking at the first snippet included below. You can see that the application itself is installed by default at context /wiki, and there will be additional copies at /wiki/wikione and so on. My goal is to restrict /wiki/Edit.jsp to one role, /wiki/wikione/Edit.jsp to another role, etc. The web.xml I'm using right now doesn't even prompt for authentication at all; the only time I can get it to authorize anything is when I only have one security constraint, for url-pattern /Edit.jsp. Is there an easy to way to achieve this? Thanks... Rahman Server.xml snippet: Context path=/wiki/wikione docBase=wiki debug=0 Parameter name=jspwiki.propertyfile value=C:\tomcat\webapps\wiki\WEB-INF\wikione.properties override=false/ /Context The application's web.xml snippet: security-constraint web-resource-collection web-resource-nameProtected Area/web-resource-name url-pattern/wiki/Edit.jsp/url-pattern http-methodDELETE/http-method http-methodGET/http-method http-methodPOST/http-method http-methodPUT/http-method /web-resource-collection auth-constraint role-namewikiadmin/role-name /auth-constraint /security-constraint security-constraint web-resource-collection web-resource-nameProtected Area/web-resource-name url-pattern/wiki/wikione/Edit.jsp/url-pattern http-methodDELETE/http-method http-methodGET/http-method http-methodPOST/http-method http-methodPUT/http-method /web-resource-collection auth-constraint role-namewikioneadmin/role-name /auth-constraint /security-constraint login-config auth-methodBASIC/auth-method realm-nameJSPWiki Editor/realm-name /login-config - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Security constraints for different contexts
Hello, I'm using Tomcat 5.0.25 and I'd like to use container-based security to restrict access to one specific page. The problem is that this page exists in different contexts, but using the same docbase. You can get a better idea by looking at the first snippet included below. You can see that the application itself is installed by default at context /wiki, and there will be additional copies at /wiki/wikione and so on. My goal is to restrict /wiki/Edit.jsp to one role, /wiki/wikione/Edit.jsp to another role, etc. The web.xml I'm using right now doesn't even prompt for authentication at all; the only time I can get it to authorize anything is when I only have one security constraint, for url-pattern /Edit.jsp. Is there an easy to way to achieve this? Thanks... Rahman Server.xml snippet: Context path=/wiki/wikione docBase=wiki debug=0 Parameter name=jspwiki.propertyfile value=C:\tomcat\webapps\wiki\WEB-INF\wikione.properties override=false/ /Context The application's web.xml snippet: security-constraint web-resource-collection web-resource-nameProtected Area/web-resource-name url-pattern/wiki/Edit.jsp/url-pattern http-methodDELETE/http-method http-methodGET/http-method http-methodPOST/http-method http-methodPUT/http-method /web-resource-collection auth-constraint role-namewikiadmin/role-name /auth-constraint /security-constraint security-constraint web-resource-collection web-resource-nameProtected Area/web-resource-name url-pattern/wiki/wikione/Edit.jsp/url-pattern http-methodDELETE/http-method http-methodGET/http-method http-methodPOST/http-method http-methodPUT/http-method /web-resource-collection auth-constraint role-namewikioneadmin/role-name /auth-constraint /security-constraint login-config auth-methodBASIC/auth-method realm-nameJSPWiki Editor/realm-name /login-config - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Tomcat Security Constraints
Hi, I have been using basic authorization with SSL in Tomcat for some time, quite satisfactorily. However I have found what I feel to be some strange behaviour on the part of Tomcat (I have 4.1.30) in one case. Here's an example: I have a folder, let's say http://www.mysite.com/prot/. I put a security-constraint on this folder in web.xml so that it is protected and requires basic authorization. So far so good. But I have discovered that if you include a document from that protected folder inside a document from an unprotected folder using a jsp:include, then basic authorization is no longer requested by the browser for the protected page. Surely the authorization should be requested in all places and at all times, whereever the request is coming from, even if from an include in an unprotected page? --- This leads on to my second question. I have been trying to solve one small though potentially dangerous problem with Basic Authorization/SSL. If I want to access a protected area of our site from outside the firewall I write an address similar to the following: https://mysslsite.com/pagerequired.jsp. It has happened that I forget to type https:// and type http:// instead. So if a nasty, mean person is listening in, he can see my password unencrypted, right? How can I prevent this? The problem is that the login window with basic authorization pops up before you arrive at the page itself. I thought of FORM authorization, because the .jsp used for the Login form can check the port requested (must be 443) and refuse to request the password if it's wrong. But FORM authorization requires lots of extra programming to give many of the useful extras that BASIC authorization offers included (e.g. remembering your user name and password). Then I thought of including the protected page in an unprotected page that checks if you are in https before doing the include. But since Tomcat has this strange behaviour I mentioned above, after a couple of days of fiddling with this possibility I've had to give that up too. Anybody got any ideas? Thanks for your time, Malcolm Warren - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Tomcat Security Constraints
On Thu, Apr 08, 2004 at 06:36:16PM +0200, Malcolm Warren wrote: : Surely the authorization should be requested in all places and at all : times, whereever the request is coming from, even if from an include in an : unprotected page? Clearly not, if it's going through. ;) My understanding of the spec is that the security constraints are for the originally-requested URI only. It's up to the developers to make sure content doesn't get include'd or forward()'d to the wrong place. : It has happened that I forget to type https:// and type http:// instead. : So if a nasty, mean person is listening in, he can see my password : unencrypted, right? Yes. : How can I prevent this? Use all SSL, all the time. -and I'm not being facetious there. If the data is that sensitive, why not? Other than that, I believe there are auth restraints in web.xml that require SSL auth. I'd be more specific, but I'm deep into a C++ project right today so my servlet spec knowledge is a little hazy. btw, what's wrong with form auth? I don't recall it requiring that much extra programming. -QM -- software -- http://www.brandxdev.net tech news -- http://www.RoarNetworX.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
url-pattern pb in security constraints
Hello, I'm trying some web.xml security features and think that Catalina does'nt perform url pattern very well in some cases (whatever the kind of Realm). For example : Roles : Administrateur and DTN protected ressources : /pages/secret1/*.jsp reserved for Administrateur role /pages/*.jsp reserved for Administrateur and DTN roles When the current user has only DTN role, the first pattern is not filtered and so the ressource is not protected while if the first pattern is a straightforward ressource (say /pages/secret1/myfile.jsp) is correctly safe. any idea ? thanks in advance, Arnaud web.xml sample : security-constraint web-resource-collection web-resource-namewebapp2/web-resource-name url-pattern/pages/secret1/*.jsp/url-pattern /web-resource-collection auth-constraint role-nameAdministrateur/role-name /auth-constraint /security-constraint security-constraint web-resource-collection web-resource-namewebapp1/web-resource-name url-pattern/pages/*.jsp/url-pattern /web-resource-collection auth-constraint role-nameDTN/role-name role-nameAdministrateur/role-name /auth-constraint /security-constraint
RE: url-pattern pb in security constraints
According to the spec (Chapter 11.2): spec A string beginning with a / character and ending with a /* postfix is used for path mapping. A string beginning with a *. prefix is used as an extension mapping. A string containing only the / character indicates the default servlet of the application. In this case the servlet path is the request URI minus the context path and the path info is null. All other strings are used for exact matches only. /spec So /pages/*.jsp is not a valid pattern mapping. It's just *.jsp or /pages/* -Original Message- From: Boulay Arnaud [mailto:[EMAIL PROTECTED] Sent: Thursday, March 11, 2004 10:26 AM To: [EMAIL PROTECTED] Subject: url-pattern pb in security constraints url-pattern/pages/secret1/*.jsp/url-pattern url-pattern/pages/*.jsp/url-pattern
Deploy failure with Tomcat 5.0.16 adding security constraints
Hi, I'm getting the following error log trying to install my webapp in tomcat 5.0.16. When I remove the security constraints section in web.xml the app install and runs ok, but when I restore de security section in web.xml I can't install the app. I have tested this issue on Tomcat 5.0.16 in windows and linux and on Tomcat 4.1.29. In my server.xml I'm using JDBCRealm auth method at Engine level. It's working fine with, for example, tomcat manager app and for others apps I'm running. The app uses jakarta struts 1.1 and some other taglibs (like request, dbtime and session) The error log is: 16-dic-2003 12:47:32 org.apache.catalina.core.StandardHostDeployer install INFO: Installing web application at context path /netlabor from URL jar:file:/C:/j2ee/Tomcat-5.0.16/webapps/netlabor.war!/ 16-dic-2003 12:47:34 org.apache.catalina.core.StandardHostDeployer install INFO: Error installing java.lang.NullPointerException at java.util.Hashtable.get(Unknown Source) at java.util.Properties.getProperty(Unknown Source) at org.apache.catalina.startup.ContextConfig.authenticatorConfig(ContextConfig.java:420) at org.apache.catalina.startup.ContextConfig.start(ContextConfig.java:651) at org.apache.catalina.startup.ContextConfig.lifecycleEvent(ContextConfig.java:254) at org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:166) at org.apache.catalina.core.StandardContext.start(StandardContext.java:4212) at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:866) at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:850) at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:633) at org.apache.catalina.core.StandardHostDeployer.install(StandardHostDeployer.java:316) at org.apache.catalina.core.StandardHost.install(StandardHost.java:859) at org.apache.catalina.manager.ManagerServlet.deploy(ManagerServlet.java:927) at org.apache.catalina.manager.HTMLManagerServlet.deployInternal(HTMLManagerServlet.java:320) at org.apache.catalina.manager.HTMLManagerServlet.doPost(HTMLManagerServlet.java:300) at javax.servlet.http.HttpServlet.service(HttpServlet.java:763) at javax.servlet.http.HttpServlet.service(HttpServlet.java:856) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:284) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:204) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:256) at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:151) at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:564) at org.apache.catalina.core.StandardContextValve.invokeInternal(StandardContextValve.java:245) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:199) at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:151) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:594) at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:149) at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:564) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:195) at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:151) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:164) at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:149) at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:564) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:156) at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:151) at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:564) at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:972) at org.apache.coyote.tomcat5.CoyoteAdapter.service(CoyoteAdapter.java:211) at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:805) at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.processConnection(Http11Protocol.java:696) at org.apache.tomcat.util.net.TcpWorkerThread.runIt(PoolTcpEndpoint.java:605) at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:677) at java.lang.Thread.run(Unknown Source) 16-dic-2003 12:47:35 org.apache.catalina.core.StandardHostDeployer install INFO: Installing web application at context path /netlabor from URL file:C:/j2ee/Tomcat-5.0.16/webapps/netlabor 16-dic-2003 12:47:35 org.apache.catalina.core.StandardHostDeployer install INFO: Error installing java.lang.NullPointerException at java.util.Hashtable.get(Unknown Source
Re: Deploy failure with Tomcat 5.0.16 adding security constraints
jose wrote: Hi, I'm getting the following error log trying to install my webapp in tomcat 5.0.16. When I remove the security constraints section in web.xml the app install and runs ok, but when I restore de security section in web.xml I can't install the app. I have tested this issue on Tomcat 5.0.16 in windows and linux and on Tomcat 4.1.29. In my server.xml I'm using JDBCRealm auth method at Engine level. It's working fine with, for example, tomcat manager app and for others apps I'm running. The app uses jakarta struts 1.1 and some other taglibs (like request, dbtime and session) You need something like: auth-methodBASIC/auth-method in you login-config. The error could be a *lot* better (we should check for null, basically). -- x Rémy Maucherat Senior Developer Consultant JBoss Group (Europe) SàRL x - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Deploy failure with Tomcat 5.0.16 adding security constraints
Remy, Thanks... I can't believe how I haven't seen the error Jose Remy Maucherat wrote: jose wrote: Hi, I'm getting the following error log trying to install my webapp in tomcat 5.0.16. When I remove the security constraints section in web.xml the app install and runs ok, but when I restore de security section in web.xml I can't install the app. I have tested this issue on Tomcat 5.0.16 in windows and linux and on Tomcat 4.1.29. In my server.xml I'm using JDBCRealm auth method at Engine level. It's working fine with, for example, tomcat manager app and for others apps I'm running. The app uses jakarta struts 1.1 and some other taglibs (like request, dbtime and session) You need something like: auth-methodBASIC/auth-method in you login-config. The error could be a *lot* better (we should check for null, basically). - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
servlet mappings and security constraints with j_security_check
I am getting the familiar status 400 - invalid direct reference, and yet I am absolutely not surfing to the login page myself. This is the page I am on: https://localhost:8443/mywebapp/registerdone.do and this is the link I am using: https://localhost:8443/mywebapp/private/editprofile.do This mapping is protected by my security constraints (/private/) and so tomcat invokes the j_security_check form, and on submission tomcat gives me the 400 status invalid direct reference. I have the login form and the login error form SSL encrypted. It works fine for non-HTTPS links. Here's the web.xml snippet: security-constraint web-resource-collection web-resource-nameSSL 4 Login/web-resource-name url-pattern/ssllogin.html/url-pattern url-pattern/sslerror.html/url-pattern /web-resource-collection user-data-constraint descriptionSSL required/description transport-guaranteeCONFIDENTIAL/transport-guarantee /user-data-constraint /security-constraint security-constraint web-resource-collection web-resource-nameLogin/web-resource-name url-pattern/private/*/url-pattern /web-resource-collection auth-constraint role-nameuser/role-name role-nameadmin/role-name /auth-constraint user-data-constraint descriptionSSL not required/description transport-guaranteeNONE/transport-guarantee /user-data-constraint /security-constraint login-config auth-methodFORM/auth-method realm-nameBlackSailRealm/realm-name form-login-config form-login-page/ssllogin.html/form-login-page form-error-page/sslerror.html/form-error-page /form-login-config /login-config security-role role-nameuser/role-name /security-role security-role role-nameadmin/role-name /security-role Does anyone know what I am doing wrong, or has seen this error too? Thanks Adam -- struts 1.1 + tomcat 5.0.12 + java 1.4.2 Linux 2.4.20 RH9 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: servlet mappings and security constraints with j_security_check
How do I delete my name from Tomcat use list? Because I am trying use TOMCAT but it does not work well for me at this time. Have a good day. Matthew Do Seattle City Light [EMAIL PROTECTED] (206) 733 - 9022 [EMAIL PROTECTED] 10/13/03 09:26AM I am getting the familiar status 400 - invalid direct reference, and yet I am absolutely not surfing to the login page myself. This is the page I am on: https://localhost:8443/mywebapp/registerdone.do and this is the link I am using: https://localhost:8443/mywebapp/private/editprofile.do This mapping is protected by my security constraints (/private/) and so tomcat invokes the j_security_check form, and on submission tomcat gives me the 400 status invalid direct reference. I have the login form and the login error form SSL encrypted. It works fine for non-HTTPS links. Here's the web.xml snippet: security-constraint web-resource-collection web-resource-nameSSL 4 Login/web-resource-name url-pattern/ssllogin.html/url-pattern url-pattern/sslerror.html/url-pattern /web-resource-collection user-data-constraint descriptionSSL required/description transport-guaranteeCONFIDENTIAL/transport-guarantee /user-data-constraint /security-constraint security-constraint web-resource-collection web-resource-nameLogin/web-resource-name url-pattern/private/*/url-pattern /web-resource-collection auth-constraint role-nameuser/role-name role-nameadmin/role-name /auth-constraint user-data-constraint descriptionSSL not required/description transport-guaranteeNONE/transport-guarantee /user-data-constraint /security-constraint login-config auth-methodFORM/auth-method realm-nameBlackSailRealm/realm-name form-login-config form-login-page/ssllogin.html/form-login-page form-error-page/sslerror.html/form-error-page /form-login-config /login-config security-role role-nameuser/role-name /security-role security-role role-nameadmin/role-name /security-role Does anyone know what I am doing wrong, or has seen this error too? Thanks Adam -- struts 1.1 + tomcat 5.0.12 + java 1.4.2 Linux 2.4.20 RH9 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: servlet mappings and security constraints withj_security_check
How do I delete my name from Tomcat use list? Because I am trying use TOMCAT but it does not work well for me at this time. Have a good day. Matthew Do Seattle City Light [EMAIL PROTECTED] (206) 733 - 9022 [EMAIL PROTECTED] 10/13/03 09:29AM How do I delete my name from Tomcat use list? Because I am trying use TOMCAT but it does not work well for me at this time. Have a good day. Matthew Do Seattle City Light [EMAIL PROTECTED] (206) 733 - 9022 [EMAIL PROTECTED] 10/13/03 09:26AM I am getting the familiar status 400 - invalid direct reference, and yet I am absolutely not surfing to the login page myself. This is the page I am on: https://localhost:8443/mywebapp/registerdone.do and this is the link I am using: https://localhost:8443/mywebapp/private/editprofile.do This mapping is protected by my security constraints (/private/) and so tomcat invokes the j_security_check form, and on submission tomcat gives me the 400 status invalid direct reference. I have the login form and the login error form SSL encrypted. It works fine for non-HTTPS links. Here's the web.xml snippet: security-constraint web-resource-collection web-resource-nameSSL 4 Login/web-resource-name url-pattern/ssllogin.html/url-pattern url-pattern/sslerror.html/url-pattern /web-resource-collection user-data-constraint descriptionSSL required/description transport-guaranteeCONFIDENTIAL/transport-guarantee /user-data-constraint /security-constraint security-constraint web-resource-collection web-resource-nameLogin/web-resource-name url-pattern/private/*/url-pattern /web-resource-collection auth-constraint role-nameuser/role-name role-nameadmin/role-name /auth-constraint user-data-constraint descriptionSSL not required/description transport-guaranteeNONE/transport-guarantee /user-data-constraint /security-constraint login-config auth-methodFORM/auth-method realm-nameBlackSailRealm/realm-name form-login-config form-login-page/ssllogin.html/form-login-page form-error-page/sslerror.html/form-error-page /form-login-config /login-config security-role role-nameuser/role-name /security-role security-role role-nameadmin/role-name /security-role Does anyone know what I am doing wrong, or has seen this error too? Thanks Adam -- struts 1.1 + tomcat 5.0.12 + java 1.4.2 Linux 2.4.20 RH9 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Security-constraints - how to forbid all except ...
Hi, Does anyone have a way to set security constraints to forbid access to everything (as the by default) *except* specified files + dirs? The web.xml snippet below comes very close to doing what I want although it relies on the order of constraints (ie, it's container-dependent). The problem with my solution is that incomplete URI's don't have a chance to be redirected to the welcome file. For example, mydomain.com/myservlet hit's the SecurityConstraint[Forbidden] before being redirected to index.jsp. So to rephrase the question: Is there a way to set security constraints to forbid access to everything *except* specified files + dirs WITHOUT breaking the site-root welcome-file redirect? Any workaround to exempt the '/' redirect (maybe a servlet-mapping??). Thanks, Chris Tomcat 404 web.xml snippet --- security-constraint web-resource-collection web-resource-namePublic/web-resource-name url-pattern/index.jsp/url-pattern url-pattern/public/*/url-pattern http-methodGET/http-method http-methodPOST/http-method /web-resource-collection user-data-constraint transport-guaranteeNONE/transport-guarantee /user-data-constraint /security-constraint security-constraint web-resource-collection web-resource-nameForbidden/web-resource-name descriptionEverything else./description url-pattern/*/url-pattern http-methodGET/http-method http-methodPOST/http-method http-methodPUT/http-method http-methodDELETE/http-method /web-resource-collection auth-constraint role-namenone/role-name !-- This role doesn't exist -- /auth-constraint user-data-constraint transport-guaranteeNONE/transport-guarantee /user-data-constraint /security-constraint --- - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Security-constraints - how to forbid all except ...
One workaround is to map EVERYTHING to a set of servlets. Then set your Security constraints against the servlets instead of the URL pattern. -Tim Chris Rolfe wrote: Hi, Does anyone have a way to set security constraints to forbid access to everything (as the by default) *except* specified files + dirs? The web.xml snippet below comes very close to doing what I want although it relies on the order of constraints (ie, it's container-dependent). The problem with my solution is that incomplete URI's don't have a chance to be redirected to the welcome file. For example, mydomain.com/myservlet hit's the SecurityConstraint[Forbidden] before being redirected to index.jsp. So to rephrase the question: Is there a way to set security constraints to forbid access to everything *except* specified files + dirs WITHOUT breaking the site-root welcome-file redirect? Any workaround to exempt the '/' redirect (maybe a servlet-mapping??). Thanks, Chris Tomcat 404 web.xml snippet --- security-constraint web-resource-collection web-resource-namePublic/web-resource-name url-pattern/index.jsp/url-pattern url-pattern/public/*/url-pattern http-methodGET/http-method http-methodPOST/http-method /web-resource-collection user-data-constraint transport-guaranteeNONE/transport-guarantee /user-data-constraint /security-constraint security-constraint web-resource-collection web-resource-nameForbidden/web-resource-name descriptionEverything else./description url-pattern/*/url-pattern http-methodGET/http-method http-methodPOST/http-method http-methodPUT/http-method http-methodDELETE/http-method /web-resource-collection auth-constraint role-namenone/role-name !-- This role doesn't exist -- /auth-constraint user-data-constraint transport-guaranteeNONE/transport-guarantee /user-data-constraint /security-constraint --- - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Problem with setContentType in https-connection with security-constraints
Hi. I'm having problems with https-connection to tomcat 4.0.2. I have a jsp-page that sets content-type to application/pdf (with response.setContentType) and prints the pdf with iText. This works fine with http-connection and https without security-constraints. Has someone tested this? It redirects all http-connections to *.jsp to https. Here's my security-settings: security-constraint web-resource-collection web-resource-nameSecurityRestriction/web-resource-name descriptiondesc/description url-pattern*.jsp/url-pattern url-pattern*.pdf/url-pattern url-pattern*.csv/url-pattern http-methodGET/http-method http-methodPOST/http-method /web-resource-collection user-data-constraint transport-guaranteeCONFIDENTIAL/transport-guarantee /user-data-constraint /security-constraint I hope anyone can tell me if there is a workaround to this. Thanks in advance, Toni -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
RE: IIS and security constraints
Hi! So is there a way for tomcat to share (or retrieve) the authentication information with IIS? -Original Message- From: Reynir Hübner [mailto:[EMAIL PROTECTED]] Sent: Wednesday, June 26, 2002 11:21 AM To: Tomcat Users List Subject: RE: IIS and security constraints I think you need to have IIS authenticate the users for you, then you can handle the authenticated user as you wish in your webapplication. hope it helps [EMAIL PROTECTED] -Original Message- From: Sean Dillon [mailto:[EMAIL PROTECTED]] Sent: 26. júní 2002 15:17 To: [EMAIL PROTECTED] Subject: IIS and security constraints I developed a site for a client who needs to deploy it on an existing IIS server. I found docs on the web that describe using the redirector dll, etc., and have gotten IIS to successfully redirect urls to my JSP site. My problem is that the security constraints that work so well when running Tomcat standalone or even on the IIS machine via port 8080, do not work when accessing the site through IIS - there is never any login dialog presented by the browser; instead, Tomcat redirects to the site's 404 error page. So what do I need to do to use container-managed security while deploying Tomcat through IIS? -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
security-constraints
Hi all, According to the servlet 2.3 specs, the longest path-prefix is used when determining which servlet-mapping or which security-constraint is to be used. However when I specify the following security-constraint's: security-constraint web-resource-collection web-resource-nameCollection1/web-resource-name url-pattern/*/url-pattern /web-resource-collection auth-constraint role-namerole1/role-name /auth-constraint user-data-constraint transport-guaranteeNONE/transport-guarantee /user-data-constraint /security-constraint security-constraint web-resource-collection web-resource-nameCollection2/web-resource-name url-pattern/view/*/url-pattern /web-resource-collection auth-constraint role-namerole2/role-name /auth-constraint user-data-constraint transport-guaranteeNONE/transport-guarantee /user-data-constraint /security-constraint A user which is in role2 is denied access to url's which start with /view/*, and it seems that the order in which I specify the security-constraint's mathers? Am I missing something? Thanks, -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: security-constraints
On Tue, 11 Jun 2002, Dennis van den Berg wrote: Date: Tue, 11 Jun 2002 13:02:46 +0200 From: Dennis van den Berg [EMAIL PROTECTED] Reply-To: Tomcat Users List [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: security-constraints Hi all, According to the servlet 2.3 specs, the longest path-prefix is used when determining which servlet-mapping or which security-constraint is to be used. Tomcat actually implements first matching security constraint, rather than longest matching security constraint, so you need to swap the order of these two in order to get what you want. Clarifying the rules for this is under discussion for Servlet 2.4. Craig However when I specify the following security-constraint's: security-constraint web-resource-collection web-resource-nameCollection1/web-resource-name url-pattern/*/url-pattern /web-resource-collection auth-constraint role-namerole1/role-name /auth-constraint user-data-constraint transport-guaranteeNONE/transport-guarantee /user-data-constraint /security-constraint security-constraint web-resource-collection web-resource-nameCollection2/web-resource-name url-pattern/view/*/url-pattern /web-resource-collection auth-constraint role-namerole2/role-name /auth-constraint user-data-constraint transport-guaranteeNONE/transport-guarantee /user-data-constraint /security-constraint A user which is in role2 is denied access to url's which start with /view/*, and it seems that the order in which I specify the security-constraint's mathers? Am I missing something? Thanks, -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
RE: manager reload not processing new security constraints
The application security constraints are in its web.xml, not server.xml. Does anyone know if reload is supposed to process the web.xml? Frank Lawlor Athens Group, Inc. (512) 345-0600 x151 Athens Group, an employee-owned consulting firm integrating technology strategy and software solutions. -Original Message- From: Cox, Charlie [mailto:[EMAIL PROTECTED]] Sent: Monday, May 06, 2002 11:58 AM To: 'Tomcat Users List' Subject: RE: manager reload not processing new security constraints I don't think that manager reads server.xml on reload. You can use the manager's stop/start instead. Charlie -Original Message- From: Lawlor, Frank [mailto:[EMAIL PROTECTED]] Sent: Monday, May 06, 2002 12:09 PM To: 'Tomcat (E-mail)' Subject: manager reload not processing new security constraints Tomcat 4.0.3: If I add a security constraint to the web.xml of my application and do a manager/reload of the app, it claims to have restarted the app OK, but the new constraint is not effected. If I restart Tomcat, the new constraint does take effect. Is this a bug in the manger reload? Frank Lawlor Athens Group, Inc. (512) 345-0600 x151 Athens Group, an employee-owned consulting firm integrating technology strategy and software solutions. -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
RE: manager reload not processing new security constraints
Charlie, Your suggestion to use stop/start worked. I still don't know if reload is supposed to process the web.xml (would be nice if this was made clear), but start/stop does the job. Thanks, Frank Lawlor Athens Group, Inc. (512) 345-0600 x151 Athens Group, an employee-owned consulting firm integrating technology strategy and software solutions. -Original Message- From: Cox, Charlie [mailto:[EMAIL PROTECTED]] Sent: Monday, May 06, 2002 11:58 AM To: 'Tomcat Users List' Subject: RE: manager reload not processing new security constraints I don't think that manager reads server.xml on reload. You can use the manager's stop/start instead. Charlie -Original Message- From: Lawlor, Frank [mailto:[EMAIL PROTECTED]] Sent: Monday, May 06, 2002 12:09 PM To: 'Tomcat (E-mail)' Subject: manager reload not processing new security constraints Tomcat 4.0.3: If I add a security constraint to the web.xml of my application and do a manager/reload of the app, it claims to have restarted the app OK, but the new constraint is not effected. If I restart Tomcat, the new constraint does take effect. Is this a bug in the manger reload? Frank Lawlor Athens Group, Inc. (512) 345-0600 x151 Athens Group, an employee-owned consulting firm integrating technology strategy and software solutions. -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
RE: manager reload not processing new security constraints
sorry, I meant web.xml is not reloaded by the manager's 'reload' command. Charlie -Original Message- From: Lawlor, Frank [mailto:[EMAIL PROTECTED]] Sent: Tuesday, May 07, 2002 1:25 PM To: 'Tomcat Users List' Subject: RE: manager reload not processing new security constraints The application security constraints are in its web.xml, not server.xml. Does anyone know if reload is supposed to process the web.xml? Frank Lawlor Athens Group, Inc. (512) 345-0600 x151 Athens Group, an employee-owned consulting firm integrating technology strategy and software solutions. -Original Message- From: Cox, Charlie [mailto:[EMAIL PROTECTED]] Sent: Monday, May 06, 2002 11:58 AM To: 'Tomcat Users List' Subject: RE: manager reload not processing new security constraints I don't think that manager reads server.xml on reload. You can use the manager's stop/start instead. Charlie -Original Message- From: Lawlor, Frank [mailto:[EMAIL PROTECTED]] Sent: Monday, May 06, 2002 12:09 PM To: 'Tomcat (E-mail)' Subject: manager reload not processing new security constraints Tomcat 4.0.3: If I add a security constraint to the web.xml of my application and do a manager/reload of the app, it claims to have restarted the app OK, but the new constraint is not effected. If I restart Tomcat, the new constraint does take effect. Is this a bug in the manger reload? Frank Lawlor Athens Group, Inc. (512) 345-0600 x151 Athens Group, an employee-owned consulting firm integrating technology strategy and software solutions. -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
manager reload not processing new security constraints
Tomcat 4.0.3: If I add a security constraint to the web.xml of my application and do a manager/reload of the app, it claims to have restarted the app OK, but the new constraint is not effected. If I restart Tomcat, the new constraint does take effect. Is this a bug in the manger reload? Frank Lawlor Athens Group, Inc. (512) 345-0600 x151 Athens Group, an employee-owned consulting firm integrating technology strategy and software solutions. -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
RE: manager reload not processing new security constraints
I don't think that manager reads server.xml on reload. You can use the manager's stop/start instead. Charlie -Original Message- From: Lawlor, Frank [mailto:[EMAIL PROTECTED]] Sent: Monday, May 06, 2002 12:09 PM To: 'Tomcat (E-mail)' Subject: manager reload not processing new security constraints Tomcat 4.0.3: If I add a security constraint to the web.xml of my application and do a manager/reload of the app, it claims to have restarted the app OK, but the new constraint is not effected. If I restart Tomcat, the new constraint does take effect. Is this a bug in the manger reload? Frank Lawlor Athens Group, Inc. (512) 345-0600 x151 Athens Group, an employee-owned consulting firm integrating technology strategy and software solutions. -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Problems Apache 1.3 - Tomcat 4.0 and Security Constraints
Hi, I have the following problem: I wrote a web application using a security constraint with auth-method set to 'FORM'. Everything works fine. I now will use Tomcat as the JSP container under Apache. If I access the application through Apache, the FORM-based auth-method of tomcat seems not to work. (not found error). Does Apache supports Form-based login in a manner like Tomcat does? Any ideas? Greetings Michael Michael Timpe Melchiorstr. 24 50670 Köln eMail: [EMAIL PROTECTED]
Security constraints with http-method
Hello, Does anybody know how to use the security constraint to restrict webdav access to authenticated users but let get and post requests get by? Christopher
Problem with security constraints on /
Hello, Tomcat users! Earlier this week I stumbled on the following problem. I already found a solution to it but I am still not sure whether I had misconfigured things or whether this is a Tomcat bug that should be filed (didn't find an existing record). Could someone with more expertise confirm if the following is correct behaviour according to servlet standard (short explanation would be nice in that case). I am using Tomcat 3.2.3. I have a servlet mapped to / (within its application context) and I have restricted the access to / using the following webapp definition. - clip - servlet servlet-namesms-dispatcher/servlet-name servlet-classfi.rossum.bg.sms.SMSDispatcher/servlet-class /servlet servlet-mapping servlet-namesms-dispatcher/servlet-name url-pattern//url-pattern /servlet-mapping security-constraint web-resource-collection web-resource-namesms-dispatcher/web-resource-name url-pattern//url-pattern /web-resource-collection auth-constraint role-namesmscore/role-name /auth-constraint /security-constraint login-config auth-methodBASIC/auth-method realm-namesmscore/realm-name /login-config - clip - However, when I point my browser at http://127.0.0.1:8080/smsdispatcher/ Tomcat lets me in without basic authentication! Now, when I do the following modification... - clip - security-constraint web-resource-collection web-resource-namesms-dispatcher/web-resource-name - url-pattern//url-pattern + url-pattern/*/url-pattern /web-resource-collection auth-constraint role-namesmscore/role-name - clip - ...everything starts working as expected and I have to provide a user name and password. Is this really how it is supposed to work? Thanks for clarifications! -- Johannes Lehtinen [EMAIL PROTECTED], http://www.iki.fi/jle/
Adding security constraints on a per-server basis
Hi, I'm using Tomcat 3.2.1 on Solaris. Is it possible to add a security-constraint tag somewhere so that it will apply to the entire server at once? I want to lock down my whole development server at once, instead of having to write separate web.xml files for each application. I tried adding a security constraint to the web.xml file in Tomcat's conf/web.xml file, in the hope that adding to the default servlet would make it apply to all servlets, but it didn't seem to work. Is it supposed to? If this does work, does anyone have an example? Thanks, Scott -- -- Scott Kelley, [EMAIL PROTECTED] Biology Computing Services, UC San Diego --
RE: Security Constraints
Depends on what realm you are using. Assuming you are using the default MemoryRealm, users are defined in $TOMCAT_HOME/conf/tomcat-users.xml If you are using JDBCRealm then it is presumably assumed that there is an existing mechanism to manage users/passwords for your database. If you are usign another Realm, then the chances are you have written it yourself, so should know the answer ;-) Tim -Original Message- From: Martin Mauri [mailto:[EMAIL PROTECTED]] Sent: 28 March 2001 19:52 To: [EMAIL PROTECTED] Subject: Security Constraints Hi users! I'm trying to configure the security constraints with FORM login method. I've defined to name the rola as "role1" but where and how do I add users to that roles and where do I configure their passwords? regards. Martin Lic. Martin O. Mauri Profesion + Auge A.F.J.P Parana 666 - Cap. Federal TE: (011) 4373-7786/7 int: 422 [EMAIL PROTECTED] www.profesi.com.ar -- DISCLAIMER: This message contains proprietary information some or all of which may be confidential and/or legally privileged. It is for the intended recipient only who may use and apply the information only for the intended purpose. Internet communications are not secure and therefore the British Biotech group does not accept legal responsibility for the contents of this message. Any views or opinions presented are only those of the author and not those of the British Biotech group. If you are not the intended recipient please delete this e-mail and notify the author immediately by calling ++44 (0)1865 748747; do not use, disclose, distribute, copy, print or rely on this e-mail.
Security Constraints
Hi users! I'm trying to configure the security constraints with FORM login method. I've defined to name the rola as "role1" but where and how do I add users to that roles and where do I configure their passwords? regards. Martin Lic. Martin O. Mauri Profesion + Auge A.F.J.P Parana 666 - Cap. Federal TE: (011) 4373-7786/7 int: 422 [EMAIL PROTECTED] www.profesi.com.ar
Security Constraints
Hi I'm new to Apache/Tomcat so expect a obvious question. I'm currently designing a multi-tier internet application based upon J2EE blueprints. To implement security in J2EE Web Tier the normal approach is to denote Web Resources (JSPs, Servlets etc) as protected (e.g. form-based authentication) in the deployment descriptor file for the Web components. For a web client to access the resources they are forced ( by the J2EE container) to login to the system by completing a login form. This is the J2EE approach (I've read). I've been advised that Web/Application servers that support J2EE (i.e. Enterprise Java Beans) are not brilliant at the moment and I should consider using Apache/Tomcat as a web server and Oracle 8i as my back end database and J2EE platform to run business logic in EJBs. If I can't use J2EE Security constraints in the deployment descriptor file of the web tier, how does Apache/Tomcat authenticate users? Yours hopefully Brian Brian Charlton.vcf Brian Charlton.vcf