-Tim
Chris Rolfe wrote:
Hi,
Does anyone have a way to set security constraints to forbid access to everything (as the by default) *except* specified files + dirs?
The web.xml snippet below comes very close to doing what I want although it relies on the order of constraints (ie, it's container-dependent).
The problem with my solution is that incomplete URI's don't have a chance to
be redirected to the welcome file. For example, "mydomain.com/myservlet"
hit's the SecurityConstraint[Forbidden] before being redirected to
index.jsp.
So to rephrase the question: Is there a way to set security constraints to forbid access to everything *except* specified files + dirs WITHOUT breaking the site-root welcome-file redirect? Any workaround to exempt the '/' redirect (maybe a servlet-mapping??).
Thanks,
Chris
Tomcat 404 web.xml snippet ----------------------------------------------- <security-constraint> <web-resource-collection> <web-resource-name>Public</web-resource-name> <url-pattern>/index.jsp</url-pattern> <url-pattern>/public/*</url-pattern> <http-method>GET</http-method> <http-method>POST</http-method> </web-resource-collection> <user-data-constraint> <transport-guarantee>NONE</transport-guarantee> </user-data-constraint> </security-constraint>
<security-constraint> <web-resource-collection> <web-resource-name>Forbidden</web-resource-name> <description>Everything else.</description> <url-pattern>/*</url-pattern> <http-method>GET</http-method> <http-method>POST</http-method> <http-method>PUT</http-method> <http-method>DELETE</http-method> </web-resource-collection> <auth-constraint> <role-name>none</role-name> <!-- This role doesn't exist --> </auth-constraint> <user-data-constraint> <transport-guarantee>NONE</transport-guarantee> </user-data-constraint> </security-constraint> -----------------------------------------------
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
