Re: Tomcat cannot access the resources in an HTTPS webapp
Mark Thomas wrote: Dimitris Mouchritsas wrote: login-config auth-methodHTTPS/auth-method realm-nameORA Examples/realm-name /login-config There is no such authentication method defined in the spec. If you want client certificate authentication then the correct value is CLIENT-CERT. Mark - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] No, I don't want client certification at the moment, only the encryption that https offers. So if I want a subdirectory (e.g. admin) of my webapp, or my entire webapp to be accessible _only_ under https what should I do? - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Tomcat cannot access the resources in an HTTPS webapp
Hi There seems to be an awful lot of confusion on this list about container managed security and https ... I know I was confused when I started with it. As I see it the two are not really connected. I think what you want to do is to force an https request for certain resources in your application. One way of doing this is to add this to your security constraint user-data-constraint transport-guaranteeCONFIDENTIAL/transport-guarantee /user-data-constraint Of course, as always, this is not the complete answer but it should get you started. (see http://java.sun.com/j2ee/dtds/web-app_2_2.dtd for where this goes in web.xml) If you were to configure the auth-methodFORM/auth-method (for example) with a suitable login form then when you attempt to access a protected resource that has the required transport guarantee associated with it, access to that resource will not only require a user to log in but access to the resource itself will 'automatically' be over https. As usual I'm sure there are other (better) ways of doing this but it works for me. I hope this helps. Rgds Duncan On 7/16/07, Dimitris Mouchritsas [EMAIL PROTECTED] wrote: Mark Thomas wrote: Dimitris Mouchritsas wrote: login-config auth-methodHTTPS/auth-method realm-nameORA Examples/realm-name /login-config There is no such authentication method defined in the spec. If you want client certificate authentication then the correct value is CLIENT-CERT. Mark - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] No, I don't want client certification at the moment, only the encryption that https offers. So if I want a subdirectory (e.g. admin) of my webapp, or my entire webapp to be accessible _only_ under https what should I do? - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Tomcat cannot access the resources in an HTTPS webapp
From: Dimitris Mouchritsas [mailto:[EMAIL PROTECTED] Subject: Re: Tomcat cannot access the resources in an HTTPS webapp So if I want a subdirectory (e.g. admin) of my webapp, or my entire webapp to be accessible _only_ under https what should I do? Read section 12 of the servlet spec: http://jcp.org/aboutJava/communityprocess/mrel/jsr154/index.html Use a combination of url-pattern and transport-guarantee (along with their surrounding elements, of course). Note that the Tomcat doc does not duplicate any information in the servlet spec; you have to read both. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Tomcat cannot access the resources in an HTTPS webapp
Thank you for your responses. Well, I was a bit lost in the specs but after looking up transport-guarantee I got what I wanted. Out of curiosity though what should I do to add tomcat user authentication? I tried adding: security-constraint web-resource-collection web-resource-namesearch/web-resource-name url-pattern/ch13/search/*/url-pattern /web-resource-collection user-data-constraint transport-guaranteeCONFIDENTIAL/transport-guarantee /user-data-constraint !-- add here -- auth-constraint role-nameadmin/role-name /auth-constraint !-- end add -- /security-constraint but tomcat, while asking me to log in, and I did, denied access to the resource. Without the addition I get the https encryption that I require. Caldarale, Charles R wrote: From: Dimitris Mouchritsas [mailto:[EMAIL PROTECTED] Subject: Re: Tomcat cannot access the resources in an HTTPS webapp So if I want a subdirectory (e.g. admin) of my webapp, or my entire webapp to be accessible _only_ under https what should I do? Read section 12 of the servlet spec: http://jcp.org/aboutJava/communityprocess/mrel/jsr154/index.html Use a combination of url-pattern and transport-guarantee (along with their surrounding elements, of course). Note that the Tomcat doc does not duplicate any information in the servlet spec; you have to read both. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Tomcat cannot access the resources in an HTTPS webapp
From: Dimitris Mouchritsas [mailto:[EMAIL PROTECTED] Subject: Re: Tomcat cannot access the resources in an HTTPS webapp Out of curiosity though what should I do to add tomcat user authentication? Container-managed authentication is unique to the container, so refer to the appropriate Tomcat doc: http://tomcat.apache.org/tomcat-6.0-doc/realm-howto.html If you're using the default Realm (likely), you need to add appropriate userid, password, and role names to conf/tomcat-users.xml, and restart Tomcat. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Tomcat cannot access the resources in an HTTPS webapp
Dimitris Mouchritsas wrote: login-config auth-methodHTTPS/auth-method realm-nameORA Examples/realm-name /login-config There is no such authentication method defined in the spec. If you want client certificate authentication then the correct value is CLIENT-CERT. Mark - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
