problem with authentication and security constrain

Tue, 18 Jun 2002 20:59:29 -0700 

Hi, forks,

I am using Tomcat4.0.3 and JDK 1.4 on solaris 8. All
the transactions are made through SSL/8443
The index.jsp has a link as
"https://192.168.10.10:8443/download/profit.xls";
and the other links for invoke servlet as
"https://192.168.10.10:8443/servlet/servlet1";.

patterns /servlet/* and /download/* are restricted by
applying <security-constraint> with <auth-constraint>
as the following web.xml indicated.

The problem is that I can invoke servelets just fine.
But when I click the link to download the .xls file.
Browser can't get access to the .xls file. If I take
out the <security-constraint> for pattern /download/*.
The link works. Why? Bug or my fault? Thanx!


Here is the web.xml
<web-app>
  <mime-mapping>
    <extension>xls</extension>
    <mime-type>application/vnd.ms-excel</mime-type>
  </mime-mapping>

  <welcome-file-list>
    <welcome-file>index.jsp</welcome-file>
  </welcome-file-list>

<security-constraint>
    <web-resource-collection>
      <web-resource-name>First</web-resource-name>
      <url-pattern>/servlet/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
      <role-name>tomcat</role-name>
    </auth-constraint>
  </security-constraint>

 <security-constraint>
    <web-resource-collection>
      <web-resource-name>Second</web-resource-name>
      <url-pattern>/download/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
      <role-name>tomcat</role-name>
    </auth-constraint>
  </security-constraint>

   <login-config>
    <auth-method>FORM</auth-method>
    <form-login-config>
      <form-login-page>/login.jsp</form-login-page>

<form-error-page>/login-error.jsp</form-error-page>
    </form-login-config>
  </login-config>


__________________________________________________
Do You Yahoo!?
Yahoo! - Official partner of 2002 FIFA World Cup
http://fifaworldcup.yahoo.com

___________________________________________________________________________
To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
of the message "signoff SERVLET-INTEREST".

Archives: http://archives.java.sun.com/archives/servlet-interest.html
Resources: http://java.sun.com/products/servlet/external-resources.html
LISTSERV Help: http://www.lsoft.com/manuals/user/user.html

Reply via email to