Hi All!
Is it possible to set up individual security constraints for specific
sub-directories with just a single login? For example, we have an
Extranet/Intranet with the following sub-directories:
-- Customer1
-- Customer2
-- Customer3
Each in turn has the directories:
- Documentation
- Reporting
- Support
- Communication
Users are defined in tomcat-users.xml with rolls for each of these
directories. Within each of these directories I have an web.xml file that
looks something like this:
<security-constraint>
<web-resource-collection>
<web-resource-name>CS1Support</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>DELETE</http-method>
<http-method>GET</http-method>
<http-method>POST</http-method>
<http-method>PUT</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>cs1support</role-name>
</auth-constraint>
</security-constraint>
In each case the web-resource-name is the name of the directory. The problem
is that when someone logs in who only has the Documentation roll (for
example), they can change the URL to the Support directory and get access
(or simply input the full URL to the Support directory)
/Customers/Customer1/Documentation/default.jsp ==>
/Customers/Customer1/Support/default.jsp
In the /Customers/WEB-INF/web.xml file I have security constraints for each
individual customer basic authentication set up like this:
<security-constraint>
<web-resource-collection>
<web-resource-name>Customer1</web-resource-name>
<!-- Define the context-relative URL(s) to be protected -->
<url-pattern>/Customer1/*</url-pattern>
<!-- If you list http methods, only those methods are protected -->
<http-method>DELETE</http-method>
<http-method>GET</http-method>
<http-method>POST</http-method>
<http-method>PUT</http-method>
</web-resource-collection>
<auth-constraint>
<!-- Anyone with one of the listed roles may access this area -->
<role-name>datacenter</role-name>
<role-name>customer1</role-name>
</auth-constraint>
</security-constraint>
Then I have a *single* login-config like this:
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>Customers</realm-name>
</login-config>
When first accessing any URL, I get the login popup. Once logged in, a user
cannot switch change the URL to be a different customer without getting a
new login prompt:
/Customers/Customer1/Documentation/default.jsp =>
/Customers/Customer2/Documentation/default.jsp
However, the *can* change the directory for that given customer:
/Customers/Customer1/Documentation/default.jsp ==>
/Customers/Customer1/Support/default.jsp
thus accessing a directory they should not. If I add a specific
security-constraint to /Customers/WEB-INF/web.xml for
/Customers/Customer1/Support/*, I get the login pop-up again. Does this
means I can only define the constrains within the top level
/Customers/WEB-INF/web.xml??? AM I missing something?
This is TC 3.2 on Win2K/MIIS 4.
Thanks in advance for any and all help.
Best Regards,
Jim Mohr
ELAXY Brokerage & Trading GmbH & Co KG
_________________________________
James Mohr
Help Desk Manager
Am Hofbr�uhaus 1
96450 Coburg
Germany
Fon +49 (0) 95 61.55 43.0
Fax +49 (0) 95 61.55 43.302
E-Mail: [EMAIL PROTECTED]
---------------------------------------
"Science has promised man power...But, as so often happens when people are
seduced by promises of power, the price is servitude and impotence. Power
is
nothing if it is not the power to choose."
Joseph Weizenbaum of MIT said in reference to Computers.
---------------------------------------
The Great Linux-NT Debate:
<http://www.jimmo.com/Linux-NT_Debate/index.html>
--
To unsubscribe: <mailto:[EMAIL PROTECTED]>
For additional commands: <mailto:[EMAIL PROTECTED]>
Troubles with the list: <mailto:[EMAIL PROTECTED]>
