The first important issue -- all paths within web.xml are relative to the context root, not the server root. So, the first thing to do is change
<url-pattern>/webadmin/WEB-INF/*</url-pattern> to <url-pattern>/WEB-INF/*</url-pattern> The second important issue -- the servlet container already protects all URLs that have /WEB-INF in them. To prove it, try this from your browser: http://localhost:8080/webadmin/WEB-INF/web.xml and you will get a "forbidden" error back. The third important issue -- you want to express URL patterns based on the URL submitted by the browser, not where the classes are loaded from. So, if you are trying to protect a URL like this: http://localhost:8080/webadmin/servlet/MyServlet then the real URL pattern you want to use is probably: <url-pattern>/servlet/*</url-pattern> Craig McClanahan On Mon, 12 Nov 2001, Sunhild Copony wrote: > Date: Mon, 12 Nov 2001 13:03:01 +0100 > From: Sunhild Copony <[EMAIL PROTECTED]> > Reply-To: Tomcat Users List <[EMAIL PROTECTED]> > To: [EMAIL PROTECTED] > Subject: Memory Realm - Redirect to NULL ?? > > Hi all, > > refering to: > Re: form based login > From: Craig R. McClanahan > Date: Sun, 16 Sep 2001 19:14:43 -0700 > > I read what Craig wrote to this problem - but I don't have any directive > for cookies in server.xml (and have one more question) > In the other points I have the same problem like Pero: twice call to > login.jsp and redirect to NULL after succesful authentification. I tried > the same login.jsp; error.jsp is called for unvalid users... > > I tried to access from the server or from a client - allways the same. > I think too that its a problem of my configuration, maybe everyone sees > it, except me!! > > And I have another problem: the protection doesn't exist??!! When I > call one of the .jsps from webadmin, (without login) the servlets from > WEB-INF/classes/ are executed - and exactly that's I wanted to avoid... > > > Thanks for any help! > Sunny > > > Here's my configuration: > > server.xml > <!-- WebAdmin Context --> > <Context path="/webadmin" docBase="webadmin" debug="99" > reloadable="true"> > <Logger className="org.apache.catalina.logger.FileLogger" > prefix="localhost_webadmin_log." suffix=".txt" > timestamp="true"/> > <Environment name="maxExemptions" type="java.lang.Integer" > value="15"/> > <Parameter name="context.param.name" > value="context.param.value"override="false"/> > <Resource name="mail/Session" auth="Container" > type="javax.mail.Session"/> > <ResourceParams name="mail/session"> > <parameter> > <name>mail.smtp.host</name> > <value>localhost</value> > </parameter> > </ResourceParams> > </Context> > > ------------------------------------------- > > web.xml (in my webapps/webadmin/WEB-INF) > > <!-- WebAdmin - web.xml --> > > <web-app> > ... > <security-constraint> > <display-name>Webadmin Security Constraint</display-name> > <web-resource-collection> > <web-resource-name>Protected Area</web-resource-name> > <!-- Define the context-relative URL(s) to be protected --> > <url-pattern>/webadmin/WEB-INF/*</url-pattern> > <!-- If you list http methods, only those methods are protected --> > <http-method>DELETE</http-method> > <http-method>GET</http-method> > <http-method>POST</http-method> > <http-method>PUT</http-method> > </web-resource-collection> > <auth-constraint> > <!-- Anyone with one of the listed roles may access this area > --> > <role-name>tomcat</role-name> > <role-name>role1</role-name> > </auth-constraint> > </security-constraint> > > <!-- Default login configuration uses form-based authentication --> > <login-config> > <auth-method>FORM</auth-method> > <realm-name>Webadmin Form-Based Authentication Area</realm-name> > <form-login-config> > <form-login-page>/login.jsp</form-login-page> > <form-error-page>/error.jsp</form-error-page> > </form-login-config> > </login-config> > > </web-app> > > [putting into "context-relative URL(s) to be protected" just > webadmin/WEB-INF I thought to enable access to webadmin/login.jsp..., > but not to webadmin/WEB-INF/...] > > ---------------------------------- > > tomcat_user.xml (unchanged) > > <tomcat-users> > <user name="tomcat" password="tomcat" roles="tomcat" /> > > ---------------------------------- > > tomcat/conf/web.xml is unchanged > > ---------------------------------- > > index.jsp changed into: > > <% > if (request.getParameter("logoff") != null) { > session.invalidate(); > response.sendRedirect("index.jsp"); > return; > } > %> > > <!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 3.2//EN'> > <html> > <head><title>INO WebAdmin</title></head> > > <frameset cols="20%,80%"> > <frame src="treeframe.jsp" name=Treefenster> > <frame src="statusrf.jsp" name=Rightfenster> > </frameset> > > <body> > </body> > </html> > > ************************* > LOG: > > localhost_webadmin_log... > > 2001-11-12 11:01:04 Authenticator[/webadmin]: Security checking request > GET /webadmin/login.jsp > 2001-11-12 11:01:04 Authenticator[/webadmin]: Checking constraint > 'SecurityConstraint[Protected Area]' against GET /login.jsp --> false > 2001-11-12 11:01:04 Authenticator[/webadmin]: No applicable constraint > located > 2001-11-12 11:01:04 Authenticator[/webadmin]: Not subject to any > constraint > 2001-11-12 11:01:04 StandardContext[/webadmin]: Mapping > contextPath='/webadmin' with requestURI='/webadmin/login.jsp' and > relativeURI='/login.jsp' > 2001-11-12 11:01:04 StandardContext[/webadmin]: Decoded > relativeURI='/login.jsp' > 2001-11-12 11:01:04 StandardContext[/webadmin]: Trying exact match > 2001-11-12 11:01:04 StandardContext[/webadmin]: Trying prefix match > 2001-11-12 11:01:04 StandardContext[/webadmin]: Trying extension match > > 2001-11-12 11:01:04 StandardContext[/webadmin]: Mapped to servlet 'jsp' > with servlet path '/login.jsp' and path info 'null' and update=true > 2001-11-12 11:01:13 Authenticator[/webadmin]: Security checking request > POST /webadmin/j_security_check > 2001-11-12 11:01:13 Authenticator[/webadmin]: Authenticating username > 'tomcat' > 2001-11-12 11:01:13 Authenticator[/webadmin]: Authentication of 'tomcat' > was successful > 2001-11-12 11:01:13 Authenticator[/webadmin]: Redirecting to original > 'null' > 2001-11-12 11:01:13 Authenticator[/webadmin]: Failed authenticate() > test > 2001-11-12 11:01:13 Authenticator[/webadmin]: Security checking request > GET /webadmin/null > 2001-11-12 11:01:13 Authenticator[/webadmin]: Checking constraint > 'SecurityConstraint[Protected Area]' against GET /null --> false > 2001-11-12 11:01:13 Authenticator[/webadmin]: No applicable constraint > located > 2001-11-12 11:01:13 Authenticator[/webadmin]: Not subject to any > constraint > 2001-11-12 11:01:13 StandardContext[/webadmin]: Mapping > contextPath='/webadmin' with requestURI='/webadmin/null' and > relativeURI='/null' > 2001-11-12 11:01:13 StandardContext[/webadmin]: Decoded > relativeURI='/null' > 2001-11-12 11:01:13 StandardContext[/webadmin]: Trying exact match > 2001-11-12 11:01:13 StandardContext[/webadmin]: Trying prefix match > 2001-11-12 11:01:13 StandardContext[/webadmin]: Trying extension match > > 2001-11-12 11:01:13 StandardContext[/webadmin]: Trying default match > 2001-11-12 11:01:13 StandardContext[/webadmin]: Mapped to servlet > 'default' with servlet path '/null' and path info 'null' and update=true > > ---------------------------------- > > > > -- > To unsubscribe: <mailto:[EMAIL PROTECTED]> > For additional commands: <mailto:[EMAIL PROTECTED]> > Troubles with the list: <mailto:[EMAIL PROTECTED]> > > -- To unsubscribe: <mailto:[EMAIL PROTECTED]> For additional commands: <mailto:[EMAIL PROTECTED]> Troubles with the list: <mailto:[EMAIL PROTECTED]>
