RE: Security Questions

William Kaufman Wed, 30 May 2001 06:43:28 -0700

From that class' javadoc:

* Access control - find if a request matches any web-resource-collection
* and set the "required" attributes.
*
* The spec requires additive checking ( i.e. there is no "best match"
* defined, but "all requests that contain a request path that mathces the
* URL pattern in the resource collection are subject to the constraing" ).
*
* In "integrated" mode this interceptor will be no-op, we'll use the
* web server ( assuming we can map the security to web-server equivalent
* concepts - I think we can do that, but need to experiment with that)

From that class' javadoc:

* Memory based realm - will authenticate and check the permissions
* for a request using a simple, in-memory list of users.
* This is for "demo" purpose only, to allow auth in standalone tomcat
* for developers.
*
* There are no restrictions or rules on how to authenticate - you have
* full control over the process.

I don't seem to have a simple xml file, should I?

You do: it's named $TOMCAT_HOME/conf/tomcat-users.xml .

-- Bill K.

-----Original Message-----
From: Gerry Duhig [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, May 30, 2001 4:00 AM
To: [EMAIL PROTECTED]
Subject: Security Questions

Hi!

I have Tomcat setup, actually running with JBoss, and I am looking at security.

I can setup an application with a login-conf in web.xml, but I cannot see who or what handles that. Is it Tomcat directly, or some loaded subsystem?

In detail: In my server.xml file I have the following:

        <RequestInterceptor className="org.apache.tomcat.request.AccessInterceptor" debug="0" />

What is this actually saying or doing?

I also have:

        
        <RequestInterceptor
            className="org.apache.tomcat.request.SimpleRealm"
            debug="0" />


Same question! What's it for, what's it do? I don't seem to have a simple xml file, should I?

Gerry

RE: Security Questions

Reply via email to