The examples application that comes with Tomcat has a working security constraint --
start up Tomcat and try to access
http://localhost:8080/examples/jsp/security/protected
Just out of curiousity, is "/videosearch" the context path of your web app? If so,
you need to change your URL pattern to
<url-pattern>/servlet/AdminServlet</url-pattern>
because all paths within a web.xml file are supposed to be context relative.
Also, you should review the DTD for a web.xml file in the servlet spec, because it is
very picky about the order of elements. In particular, the required order is
<security-constraint>, then <login-config>, then <security-role>. Also, <auth-method>
goes before <realm-name> in the <login-config> element.
Tomcat 3.x doesn't care about any of this (until you try to use a JSP page with custom
tags, but that's a long story :-), but Tomcat 4.0 and many other servlet containers
use a validating parser, and will reject the web.xml file you've got below.
Craig
Neil Aggarwal wrote:
> Craig:
>
> Is there a working example of this?
>
> Here is what I did:
> 1. I added my user to the conf/tomcat-users.xml:
> <tomcat-users>
> <user name="tomcat" password="tomcat" roles="tomcat" />
> <user name="role1" password="tomcat" roles="role1" />
> <user name="both" password="tomcat" roles="tomcat,role1" />
> <user name="admin" password="test" roles="admin" />
> </tomcat-users>
>
> 2. In my application's web.xml file, I added the following
> lines within the <web-app> tag:
> <login-config>
> <realm-name>Videosearch Admin</realm-name>
> <auth-method>BASIC</auth-method>
> </login-config>
> <security-role>
> <role-name>admin</role-name>
> </security-role>
> <security-constraint>
> <web-resource-collection>
> <web-resource-name>AdminServlet</web-resource-name>
> <url-pattern>/videosearch/servlet/AdminServlet</url-pattern>
> <http-method>GET</http-method>
> <http-method>POST</http-method>
> </web-resource-collection>
> <auth-constraint>
> <role-name>admin</role-name>
> </auth-constraint>
> </security-constraint>
>
> 3. I then restarted Tomcat.
>
> I still dont get a login box when I visit the URL.
>
> The logs dont have any information.
>
> Am I missing something else?
>
> Thanks,
> Neil.
>
> > Do you also have a <login-config> element in your web.xml file? If you do not,
> > Tomcat has no way to know how to authenticate users, so it does not even try.
> > You could probably make a case that Tomcat should reject access by default in
> > this scenario, but this is how it currently works.
> >
> > Regarding setting up usernames and passwords -- the default configuration uses a
> > text file "conf/tomcat-users.xml" to define the valid users and their roles.
> > See comments in "conf/server.xml" for how to change to a different
> > implementation.
>
> --
> Neil Aggarwal
> JAMM Consulting, Inc. -- (972) 612-6056, http://www.JAMMConsulting.com
> Custom Internet Development -- Java, JSP, servlets, databases
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, email: [EMAIL PROTECTED]
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, email: [EMAIL PROTECTED]
