RE: formbased authentication: login.jsp is protected as well ?

Tue, 20 Feb 2001 07:23:23 -0800 


I will have to further ask, how about content referenced from those
pages? Such as images.

Is there an easy way to say secure everything, except these directories?

Is there a special role, "GUEST" or "ANONYMOUS" which we can assign the
images directory... etc etc?

fern


On Tue, 20 Feb 2001, Randy Layman wrote:

> 
>       Either move to Tomcat 4.0 (both login and error pages are not
> protected, regardless of their location) or move all your webapp into a
> subdirectory except for the login page.   They not be good choices, but they
> are the only choices that I know of.
> 
>       Randy
> 
> -----Original Message-----
> From: paul marshal [mailto:[EMAIL PROTECTED]]
> Sent: Tuesday, February 20, 2001 10:04 AM
> To: tomcat-list
> Subject: formbased authentication: login.jsp is protected as well ?
> 
> 
> Hi !
> 
> I want to restrict access to the whole webApplication using formbased
> authentication. ( not just a subdirectory as I've seen it 
> in all the examples )
> Here is what I tried in web.xml: 
> 
> <web-app>
> <!-- all the mappings etc. -->
> 
> <security-constraint>
>   <web-resource-collection>
>     <web-resource-name>adminConsole</web-resource-name>
>     <description>All adminConsole Pages</description>
>     <url-pattern>/*</url-pattern>
>   </web-resource-collection>
>   
>   <auth-constraint>
>     <description>admin console user</description>
>     <role-name>adminConsoleUser</role-name>
>   </auth-constraint>
> 
>   <user-data-constraint>
>     <transport-guarantee>NONE</transport-guarantee>
>   </user-data-constraint>
> 
> </security-constraint>
> 
> <login-config>
>    <auth-method>FORM</auth-method>
>    <form-login-config>
>       <form-login-page>/login.jsp</form-login-page>
>       <form-error-page>/login_error.jsp</form-error-page>
>    </form-login-config>
> </login-config>
> 
> </web-app>
> 
> The problem is, that the login.jsp that I configure in web.xml ( in
> <login-config>...</login-config> is also part of the webApp and thereby
> also 
> access restricted. 
> So when the container tries to forward to the login.jsp it would be
> directed there again in an infinite loop. What really happens
> is that I get a server generated error message saying something similar
> to : 
> "page moved."
> 
> How can I protect the entire webApp ?
> Any help, ideas etc ??
> 
> Paul
> 
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, email: [EMAIL PROTECTED]

Reply via email to