security constraints in tomcat 4.1.30

Thu, 02 Jun 2005 23:54:03 -0700 

Hello all
I have a problem concerning Tomcat 4.1.30. In web.xml i defined several security constraint. First of all I protected the whole application and then I excluded the directories with images and css files. Furthermore I defined some roles. 

<pre>
<security-constraint>
                <display-name>TCE GUI</display-name>
                <web-resource-collection>
                        <web-resource-name>WEBGui Area</web-resource-name>
                        <!-- Define the context-relative URL(s) to be protected 
-->
                        <url-pattern>/*</url-pattern>
                </web-resource-collection>
                <auth-constraint>
                        <!-- Anyone with one of the listed roles may access this 
area -->
                        <role-name>*</role-name>
                </auth-constraint>
        </security-constraint>

        <security-constraint>
                <web-resource-collection>
                        <web-resource-name>Images and CSS Not 
Protected</web-resource-name>
                        <url-pattern>/images/*</url-pattern>
                        <url-pattern>/css/*</url-pattern>
                        <http-method>GET</http-method>
                        <http-method>HEAD</http-method>
                </web-resource-collection>
        </security-constraint>

        <security-constraint>
                <display-name>DSLAM Configuration</display-name>
                <web-resource-collection>
                        <web-resource-name>
                                Access to DSLAM Configuration
                        </web-resource-name>
                        <url-pattern>/DslamConfig/*</url-pattern>
                </web-resource-collection>
                <auth-constraint>
                        <role-name>dslamConfig</role-name>
                </auth-constraint>
        </security-constraint>
        <login-config>
                <auth-method>FORM</auth-method>
                <form-login-config>
                        <form-login-page>/login.jsp</form-login-page>
                        <form-error-page>/login-error.jsp</form-error-page>
                </form-login-config>
        </login-config>

        <security-role>
                <role-name>dslamConfig</role-name>
        </security-role>
</pre>


So my problem is that this works fine with Tomcat 5.0 but not with 
Tomcat 4.1.30. If I go to the login page, the stylesheet and images are 
not found when running the Application with version 4.1.30. Also the 
Security Constraints are not working correctly, this means that a user 
that hasn't the role "dslamConfig" is able to enter the following URL: 
/DslamConfig/*


Has anyone some ideas?

Thanks a lot
Angela

---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]























					Reply via email to