Neil Aggarwal wrote:
> David:
>
> I am trying to protect a servlet within my web application.
> I want the rest of it to be accessible except for that
> servlet.
>
> Based on my reading the servlet 2.3 specification, I
> added the following lines to my application's web.xml file:
> <security-role>
> <role-name>admin</role-name>
> </security-role>
> <security-constraint>
> <web-resource-collection>
> <web-resource-name>AdminServlet</web-resource-name>
> <url-pattern>/videosearch/servlet/AdminServlet</url-pattern>
> <http-method>GET</http-method>
> <http-method>POST</http-method>
> </web-resource-collection>
> <auth-constraint>
> <role-name>admin</role-name>
> </auth-constraint>
> </security-constraint>
>
> But, when I visit /videosearch/servlet/AdminServlet, I get
> the result from the servlet without it asking for a login.
>
> Also, I dont understand how I can set-up the password.
>
> Any guidance would really help.
>
Do you also have a <login-config> element in your web.xml file? If you do not,
Tomcat has no way to know how to authenticate users, so it does not even try.
You could probably make a case that Tomcat should reject access by default in
this scenario, but this is how it currently works.
Regarding setting up usernames and passwords -- the default configuration uses a
text file "conf/tomcat-users.xml" to define the valid users and their roles.
See comments in "conf/server.xml" for how to change to a different
implementation.
>
> Thanks,
> Neil.
Craig McClanahan
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, email: [EMAIL PROTECTED]
