Re: Problem in Welcome-file-list and security

[shanmugampl]

Found out the problem. Changing the <welcome-file> from */jsp/test.jsp* 
to *jsp/test.jsp *solves the issue. The additional / causes some changes 
in the url pattern and as a result the request was not considered to be 
secured one. Thanks for your effort.

-Shan-

Tim Funk wrote:

Make your welcome file index.jsp. Then for that specific URL (/) - 
have it redirect to jsp/test.jsp. That way the external redirect 
forces the security constraint to be caught. For example:

index.jsp:

<%@ taglib uri="http://java.sun.com/jstl/core"; prefix="c"%>
<c:redirect url="jsp/test.jsp"/>


-Tim

shanmugampl wrote:

My very first page is the login screen. If i have specified security 
constraints, then how can i show the login screen as the first 
screen. The request should actually go to a secured screen, and this 
will bring up the login screen. Thats the reason, i require the first 
page to be secured. Is there any other way i can do this.

-Shanmugam-

Tim Funk wrote:

Security constraints are in the incoming URL.

[
Also welcome files *should*(but not required) be single files - not 
files buried under a directory.
Good: <welcome-file>cowbell.jsp</welcome-file>
Bad:  <welcome-file>more/cowbell.jsp</welcome-file>
]

-Tim

shanmugampl wrote:

Hi,

   I am using 5.0.19 & I have the following definition in my 
web.xml file

  <welcome-file-list>
*      <welcome-file>/jsp/test.jsp</welcome-file>*
   </welcome-file-list>
   <security-constraint>
   <web-resource-collection>
     <web-resource-name>Secured Core Context</web-resource-name>
*      <url-pattern>/jsp/*</url-pattern>*
   </web-resource-collection>
     <auth-constraint>
     <role-name>*</role-name>
   </auth-constraint>
   </security-constraint>
 <login-config>
   <auth-method>FORM</auth-method>
   <form-login-config>
     <form-login-page>/login/login.jsp</form-login-page>
     <form-error-page>/login/login.jsp</form-error-page>
   </form-login-config>
 </login-config>
      Now if i access my application as 
http://localhost:8080/<appName>, the welcome-file is served 
directly, without going through the security constraints. But if i 
invoke as. http://localhost:8080/<appName>/jsp/test.jsp, then the 
login.jsp page is brought up.
      The same setup works fine in tomcat 4.1.24

      Am i missing something in the configuration or is it a tomcat 
5 bug. If it is a bug are there any workarounds
 



---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]