Hi,
Does anyone have a way to set security constraints to forbid access to
everything (as the by default) *except* specified files + dirs?
The web.xml snippet below comes very close to doing what I want although it
relies on the order of constraints (ie, it's container-dependent).
The problem with my solution is that incomplete URI's don't have a chance to
be redirected to the welcome file. For example, "mydomain.com/myservlet"
hit's the SecurityConstraint[Forbidden] before being redirected to
index.jsp.
So to rephrase the question: Is there a way to set security constraints to
forbid access to everything *except* specified files + dirs WITHOUT breaking
the site-root welcome-file redirect? Any workaround to exempt the '/'
redirect (maybe a servlet-mapping??).
Thanks,
Chris
Tomcat 404 web.xml snippet
-----------------------------------------------
<security-constraint>
<web-resource-collection>
<web-resource-name>Public</web-resource-name>
<url-pattern>/index.jsp</url-pattern>
<url-pattern>/public/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>Forbidden</web-resource-name>
<description>Everything else.</description>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
<http-method>PUT</http-method>
<http-method>DELETE</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>none</role-name> <!-- This role doesn't exist -->
</auth-constraint>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
-----------------------------------------------
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
