hi all,
we are having a problem with our Tomcat 5.5.9 cluster. We run 2 Tomcat
instances on physically different machines. For security we use normal
container managed security, configured in the web.xml. Session replication
works fine, and session id's are same across the two instances. We only
Mit freundlichem Gru / kind regards
Dr. Aliye Edao
-Ursprngliche Nachricht-
Von: Torsten Rmer [mailto:[EMAIL PROTECTED]
Gesendet: Freitag, 17. Juni 2005 00:42
An: Tomcat Users List
Betreff: Container Managed Security and mod_jk/Static Contents
Hello
how do you authenticate ? basic ? form based ?
- Original Message -
From: Torsten Rmer [EMAIL PROTECTED]
To: Tomcat Users List tomcat-user@jakarta.apache.org
Sent: Thursday, June 16, 2005 11:42 PM
Subject: Container Managed Security and mod_jk/Static Contents
Hello!
In order
Subject: Container Managed Security and mod_jk/Static Contents
Hello!
In order to improve performance for static contents I have setup Apache
with mod_jk. Now only Struts' *.do requests are served by Tomcat, the
rest is done by Apache. Works fine.
Now I want to restrict access to some resources
Hello!
In order to improve performance for static contents I have setup Apache
with mod_jk. Now only Struts' *.do requests are served by Tomcat, the
rest is done by Apache. Works fine.
Now I want to restrict access to some resources using using container
managed security. That also works fine
: Torsten Rmer [mailto:[EMAIL PROTECTED]
Gesendet: Freitag, 17. Juni 2005 00:42
An: Tomcat Users List
Betreff: Container Managed Security and mod_jk/Static Contents
Hello!
In order to improve performance for static contents I have setup Apache
with mod_jk. Now only Struts' *.do requests are served
: Container Managed Security?
I have a small question... I am used to providing my own authentication
system when
developing web systems, but I am now looking into providing container
based security
instead. But when writing authentication myself, I have full control and
can put
differenf
-
From: Bjørn T Johansen [EMAIL PROTECTED]
To: 'Tomcat Users List' tomcat-user@jakarta.apache.org
Sent: Thursday, April 07, 2005 7:05 AM
Subject: Container Managed Security?
I have a small question... I am used to providing my own authentication
system when
developing web systems, but I
javax.servlet.http.SessionListener
For a summary, read the javadocs. For full details read the spec.
Mark
Bjørn T Johansen wrote:
I have a small question... I am used to providing my own authentication system
when
developing web systems, but I am now looking into providing container based
Opps. Typo. That should be:
javax.servlet.http.HttpSessionListener
Mark Thomas wrote:
javax.servlet.http.SessionListener
For a summary, read the javadocs. For full details read the spec.
Mark
Bjørn T Johansen wrote:
I have a small question... I am used to providing my own
authentication system
That seems to be what I am looking for
I will look into this... Thx... :)
BTJ
Mark Thomas wrote:
Opps. Typo. That should be:
javax.servlet.http.HttpSessionListener
Mark Thomas wrote:
javax.servlet.http.SessionListener
For a summary, read the javadocs. For full details read the
I have a small question... I am used to providing my own authentication system
when
developing web systems, but I am now looking into providing container based
security
instead. But when writing authentication myself, I have full control and can put
differenf information that I need into the
, February 26, 2005 3:33 PM
Subject: Re: How to disable PUT, DELETE http methods etc if not using
container managed security?
For TC 5.x.x, you need two security-constraints to do what you want. One
of them looks like your first example, and the other like your second
example (except
: How to disable PUT, DELETE http methods etc if not using
container managed security?
For TC 5.x.x, you need two security-constraints to do what you want. One
of them looks like your first example, and the other like your second
example (except that you probably want auth-constraint /, which
wrote:
Is there a way to prevent PUT or DELETE http methods if you're not using
container managed security? If so, how?
I already have this to force the use of https:
security-constraint
web-resource-collection
web-resource-nameProtected Context/web-resource-name
url-pattern
if you're not using
container managed security? If so, how?
I already have this to force the use of https:
security-constraint
web-resource-collection
web-resource-nameProtected Context/web-resource-name
url-pattern/*/url-pattern
/web-resource-collection
!-- auth
Is there a way to prevent PUT or DELETE http methods if you're not using
container managed security? If so, how?
I already have this to force the use of https:
security-constraint
web-resource-collection
web-resource-nameProtected Context/web-resource-name
url-pattern
Thanks for the help and discussion Ben.
/robert
Yep, they look the same.
Glad to help, even if I've done nothing more than validate your
assumptions ;)
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands,
/bea/message.jspa?messageID=202433201
Oh well...
/robert
-Original Message-
From: Hassan Schroeder [mailto:[EMAIL PROTECTED]
Sent: Tuesday, December 14, 2004 5:55 PM
To: Tomcat Users List
Subject: Re: [newbie] Container Managed Security - preventing direct
access to .jsp
Robert Taylor wrote
-
From: Ben Souther [mailto:[EMAIL PROTECTED]
Sent: Tuesday, December 14, 2004 10:35 PM
To: Tomcat Users List
Subject: RE: [newbie] Container Managed Security - preventing direct
accessto .jsp
It appears that there is no standard way to do this even though
it's implied in the spec
To: [EMAIL PROTECTED]
Subject: [newbie] Container Managed Security - preventing direct access
to .jsp
Greetings,
I'm new to Tomcat and this mailing list, and have a question
regarding configuring Tomcat to simply disallow access to .jsp pages
which I have been protected via the security
-
From: Robert Taylor [mailto:[EMAIL PROTECTED]
Sent: Monday, December 13, 2004 8:59 PM
To: [EMAIL PROTECTED]
Subject: [newbie] Container Managed Security - preventing direct access
to .jsp
Greetings,
I'm new to Tomcat and this mailing list, and have a question
regarding
Robert Taylor wrote:
Please let me know if this questions is just too obvious
and I'll gladly RTFM...
See below :-)
It just seems like a common idiom to provide a portable mechanism
for protecting direct access to .jsp so as to enforce access through
some controller. I have in the past placed .jsp
Yes. That would be an alternative approach.
However, I want to use CMS (Container Managed Security) to protect direct
access to .jsp pages.
This should be possible as per the Servlet specification.
/robert
-Original Message-
From: Ben Souther [mailto:[EMAIL PROTECTED]
Sent: Tuesday
page/message when a .jsp page is requested without going through
the controller?
/robert
-Original Message-
From: Hassan Schroeder [mailto:[EMAIL PROTECTED]
Sent: Tuesday, December 14, 2004 2:21 PM
To: Tomcat Users List
Subject: Re: [newbie] Container Managed Security - preventing
I have not run into that kind of problem before... typically if you hit
a JSP without hitting its controller first you will just get nothing (an
HTML screen with no data). when it gets routed back to the controller,
it will then register a failure due to lack of data. Problem solved.
[EMAIL
Fair enough.
When I mention Container Managed Security, I am refering to
using security constraints defined in web.xml to prevent
direct access to resources.
More specifically in Section 12.8 of the 2.4 specification:
Security constraints are a declarative way of defining the protection of web
Robert Taylor wrote:
Does this not imply that I can do what I am trying to do?
I suppose; I'm just baffled why you want to reinvent this particular
built-in wheel, but don't let that stop you :-)
--
Hassan Schroeder - [EMAIL PROTECTED]
Webtuitive Design === (+1)
example:
http://forums.bea.com/bea/message.jspa?messageID=202433201
Oh well...
/robert
-Original Message-
From: Hassan Schroeder [mailto:[EMAIL PROTECTED]
Sent: Tuesday, December 14, 2004 5:55 PM
To: Tomcat Users List
Subject: Re: [newbie] Container Managed Security - preventing direct
a .jsp page is requested without going through
the controller?
/robert
-Original Message-
From: Hassan Schroeder [mailto:[EMAIL PROTECTED]
Sent: Tuesday, December 14, 2004 2:21 PM
To: Tomcat Users List
Subject: Re: [newbie] Container Managed Security - preventing direct
access to .jsp
Robert Taylor wrote:
I didn't realize that was added to the 2.4 spec.
It was in 2.3, too. I'd guess it was in the spec from the get-go,
but don't have an older copy to hand to confirm.
Even so, it would be nice to know how to use CMS to achieve this.
What is your definition of Container Managed
From: Hassan Schroeder [EMAIL PROTECTED]
Given that the Java Servlet Specification Version 2.4, page 70 sez:
A special directory exists within the application hierarchy
named WEB-INF. This directory contains all things related to
the application that aren't in the document root of the
It appears that there is no standard way to do this even though
it's implied in the spec.
I don't know how standard this is but it works.
The trick is in the auth-constraint node (note the commented out
role-name).
Since it is exclusive. Not declaring a role-name for the protected
resource
Greetings,
I'm new to Tomcat and this mailing list, and have a question
regarding configuring Tomcat to simply disallow access to .jsp pages
which I have been protected via the security-constraint/ in my web app
web.xml file.
From what I understand, the following should do the trick and cause
a
Sorry. I left off some info:
Tomcat 5.0.25
Win2k
JDK1.4.2
/robert
-Original Message-
From: Robert Taylor [mailto:[EMAIL PROTECTED]
Sent: Monday, December 13, 2004 8:59 PM
To: [EMAIL PROTECTED]
Subject: [newbie] Container Managed Security - preventing direct access
to .jsp
Subject: Container managed security in tomcat 5.x, need j_password in
struts web app, ServletFilter or IntermediateServlet?
Background:
=
I'm writing a web front-end to a back-end system which has 1000 user
accounts and each user has different rights (ACIs, ACLs) in that back-end
(think
It sounds like you'll need to create your own realm. You might be able to
extend JNDIRealm.
You cannot run filters on /j_security_check. The spec says so. Websphere
might allow it - but tomcat doesn't.
-Tim
[EMAIL PROTECTED] wrote:
Thanks Tim Funk for the quick answer,
In FormAuthenticator there is a line:
principal =
context.getRealm().authenticate(username, password);
It returns an
interface java.security.Principal
The Principal stores the username (uid), not the password
http://issues.apache.org/bugzilla/show_bug.cgi?id=21795
You can always write your own Realm which creates your own custom Principal
which can store the password in it. This does require some casting but not
uncommon.
-Tim
[EMAIL PROTECTED] wrote:
Thanks Tim Funk for the quick answer,
In
Thanks again Tim Funk. Your answer is another solution I didn't think of
and it sounds standard conform and secure and clean to me.
I'll develop my own JNDIRealm / JAASRealm and my own
Principal, so I get not only the name and roles of the user out of the
directory
but every other information
On Thu, Jul 08, 2004 at 11:19:39PM -0500, Steve Luzynski wrote:
: Using Tomcat 5.0.25 on Mac OS X (10.3.4 specifically). Trying to
: implement container managed security.
:
: [snip: deployment descriptor]
:
: When I try to hit a url like
: http://localhost:9006/IPBoss/add/add_network.html
On Jul 9, 2004, at 8:11 AM, QM wrote:
On Thu, Jul 08, 2004 at 11:19:39PM -0500, Steve Luzynski wrote:
: Using Tomcat 5.0.25 on Mac OS X (10.3.4 specifically). Trying to
: implement container managed security.
:
: [snip: deployment descriptor]
:
: When I try to hit a url like
: http://localhost
Steve Luzynski wrote:
On Jul 9, 2004, at 8:11 AM, QM wrote:
On Thu, Jul 08, 2004 at 11:19:39PM -0500, Steve Luzynski wrote:
: Using Tomcat 5.0.25 on Mac OS X (10.3.4 specifically). Trying to
: implement container managed security.
:
: [snip: deployment descriptor]
:
: When I try to hit a url like
On Jul 9, 2004, at 12:40 PM, Robert F. Hall wrote:
Have you tried adding http-method/ elements to
web-resource-collection ?
web-resource-collection
http-methodHEAD/http-method
http-methodGET/http-method
http-methodPOST/http-method
http-methodPUT/http-method
On Fri, Jul 09, 2004 at 03:20:39PM -0500, Steve Luzynski wrote:
: Is there some logging or debugging I can turn on? The stock logs aren't
: showing me anything other than just a normal access to the resources
: that I'm wanting to protect.
Another silly question, then: what's the deployed
and decided this was a good time to move to container managed
security since I destroyed the entire view anyway. :) So because of
that there is no servlet mapping yet, I'm just trying to get Tomcat to
properly access control some static HTML right now.
(I'm grasping too...)
Thanks,
Steve
Steve Luzynski [EMAIL PROTECTED] wrote in message
news:[EMAIL PROTECTED]
On Jul 9, 2004, at 12:40 PM, Robert F. Hall wrote:
Have you tried adding http-method/ elements to
web-resource-collection ?
web-resource-collection
http-methodHEAD/http-method
I've been scratching my head most of the day on this...
Using Tomcat 5.0.25 on Mac OS X (10.3.4 specifically). Trying to
implement container managed security.
I have a JDBC Realm set up in server.xml for the context in question.
The web.xml file for the application is set up just like
Hi,
I am using Tomcat managed security where I am using JAASRealm.
I have implemented a LoginModule ... using which I can login easily.
But how to logout ... doing session.invalidate() was what I thought would do
the trick. It did ... BUT ... after having logged out it is impossible to login
I used container managed security (I mean declaring security issues in
web.xml, and using security standard servlet API isUserInRole,
getUserPrincipal and so on) for several webapp, but I'm now facing the
following need that this approach seem not to satisfy:
I have to authenticate users based
On 03/04/2004 04:12 PM Renato Romano wrote:
I used container managed security (I mean declaring security issues in
web.xml, and using security standard servlet API isUserInRole,
getUserPrincipal and so on) for several webapp, but I'm now facing the
following need that this approach seem
'
Subject: Container managed security
Hi All,
May i know is it possible to have more than one login config for a
single container. Says i have 2 applications running on different
context; APP1 and APP2 both of them using container managed security.
But required seperate login credential. Can i mantain
Hi All,
May i know is it possible to have more than one login config for a
single container. Says i have 2 applications running on different
context; APP1 and APP2 both of them using container managed security.
But required seperate login credential. Can i mantain 2 or more set of
users
container-managed security
On Tue, 2 Apr 2002, Wellie W. Chao wrote:
Date: Tue, 2 Apr 2002 16:59:38 -0500
From: Wellie W. Chao [EMAIL PROTECTED]
Reply-To: Tomcat Users List [EMAIL PROTECTED]
To: Tomcat Users List [EMAIL PROTECTED]
Subject: Question about container-managed security
I'm using
I'm using Tomcat 4.0.2 and noticed that the security attributes returned by
request.getRemoteUser(), request.isUserInRole(x), and
request.getUserPrincipal() seem to only be present when the user is in a
protected directory, even if he has already logged in. That is to say, the
user can log in and
On Tue, 2 Apr 2002, Wellie W. Chao wrote:
Date: Tue, 2 Apr 2002 16:59:38 -0500
From: Wellie W. Chao [EMAIL PROTECTED]
Reply-To: Tomcat Users List [EMAIL PROTECTED]
To: Tomcat Users List [EMAIL PROTECTED]
Subject: Question about container-managed security
I'm using Tomcat 4.0.2 and noticed
the authentication information, but it is mildly
annoying.
-Original Message-
From: Craig R. McClanahan [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, April 02, 2002 6:02 PM
To: Tomcat Users List
Subject: Re: Question about container-managed security
On Tue, 2 Apr 2002, Wellie W. Chao wrote
On Tue, Apr 02, 2002 at 06:42:40PM -0500, Wellie W. Chao wrote:
It's within the same webapp (the context path is the same). At first I
thought it was a cache issue, but I hit reload on both protected and
unprotected pages and it shows what I originally pulled up on each
particular page. That
Hi
Does anyone know how to take advantage of Tomcat 4.0 container managed
security features using a swing client?
I appreciate that the using j_security_check flag from a jsp client sets the
user's credentials which are intercepted by the container. Then container
can then perform the realm
Hi,
TCversion: 3.1
Java version: "1.3.0-C"
OS: Win 2000 (SP 1)
Has anyone else tested the Example Basic
Authentication Area (see TOMCAT_HOME\readme.txt)
in the example web app?
I placed an index.html in
'/examples/jsp/security/protected'directory and triedthe following
URLs:
1:
as defined in TOMCAT_HOME/conf/tomcat-users.xml.
Container managed security in Tomcat 3.1 is broken. Use 3.2
or 4.0.
Craig McClanahan
61 matches
Mail list logo