Jim Urban wrote:
> I am running Tomcat with Apache on NT. I have a servlet context which
> contains three servlets and their supporting classes. All the .class files
> have been "jared" and the .jar file placed in the web-inf/lib directory. I
> have set up my web.xml file to find the servlets an pass them init params
> just fine. I now need to limit access to the servlets to different groups
> of users. How do I set this up? Can someone please send me a sample of
> "<security-constraint>" section (is this where it gets done?) of a web.xml
> file?
>
The "examples" web application that comes with Tomcat has a <security-constraint> set
up on the path
http://localhost:8080/jsp/security/protected
which will trigger form-based login. See "$TOMCAT_HOME/webapps/examples/web.xml".
The requirements (and another example) are found in the Servlet Specification, version
2.2, at <http://java.sun.com/products/servlet/download.html>.
For Tomcat, the default location for information describing users, passwords, and
roles is in a text file named $TOMCAT_HOME/conf/tomcat-users.xml. It is also possible
to configure Tomcat to use a database for username lookups (using the JDBCRealm
class), or to write your own custom Realm implementation to look anywhere else.
NOTE: If you are running Tomcat behind Apache in the usual fashion (i.e. having
Apache serve static resources), *only* the dynamic requests that are actually
forwarded to Tomcat will be protected by these constraints.
> Jim Urban
Craig McClanahan
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, email: [EMAIL PROTECTED]
