Birte Glimm wrote:
> Hi,
> I`m using tomcat 3.2.1, Win 2000 and I tried to configure a servlet (Header,
>displays just all received Header information) with basic authentication. I changed
>the web.xml as followed:
>
> <servlet-mapping>
> <servlet-name>
> Header
> </servlet-name>
> <url-pattern>
> /protected/Header
> </url-pattern>
> </servlet-mapping>
> <security-constraint>
> <web-resource-collection>
> <web-resource-name>Birtes Protected
>Area</web-resource-name>
> <url-pattern>/protected/*</url-pattern>
> <http-method>DELETE</http-method>
> <http-method>GET</http-method>
> <http-method>POST</http-method>
> <http-method>PUT</http-method>
> </web-resource-collection>
> <auth-constraint>
> <role-name>tomcat</role-name>
> </auth-constraint>
> </security-constraint>
>
> <login-config>
> <auth-method>BASIC</auth-method>
> <realm-name>Birte</realm-name>
> </login-config>
>
> That works (http://localhost/myApp/protected/Header). But if I enter
>http://localhost/myApp/servlet/Header I also get the servlet but without
>authentication. Why and what must I do that the servlet is only available with the
>first URL.
>
One approach would be to disable the "invoker" servlet facility, as others have
pointed out. (Simply comment out the "invoker interceptor" entry in server.xml.)
Another option is to remember that security constraints are based on matching URL
patterns, and you can add a second <url-pattern> to your <web-resource-collection>:
<url-pattern>
/servlet/Header/*
</url-pattern>
That way, the security constraint covers requests done through the invoker servlet as
well.
> Thanks Birte
Craig McClanahan
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, email: [EMAIL PROTECTED]
