Now we are getting somewhere ;-). If you have a context with a path="/secure", then you need to set the <security-constraint> (including <login-config>) in that web.xml as you have except that you only need to have the <url-pattern>/*</url-pattern> (since the url-pattern is relative to the context-path).
Note that unless you enable the SingleSignOn Valve, your logins to '/' and to '/secure' won't transfer from one to the other. You'll have to login to each one seperately. "Rosaria Silipo" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] > > > Jwsdp.log.<date>.txt does not report any error. > I do not have catalina.out. > Maybe I am using the wrong version of Tomcat? > > I think my problem is that /secure has its own web.xml that overrides > the web.xml in /. How can I avoid that? > > -- Rosaria > > -----Original Message----- > From: news [mailto:[EMAIL PROTECTED] On Behalf Of Bill Barker > Sent: Tuesday, June 17, 2003 11:46 PM > To: [EMAIL PROTECTED] > Subject: Re: problems with web.xml and security > > <servlet-mapping> and <mime-mapping> are optional elements. If you > don't > need them, then they don't have to be there. > > If you remove the <session-config>, then the rest of what is posted of > your > web.xml is valid (even if the /secure/* is implied by the /*, but that > shouldn't matter). I'm still going to guess that there are errors in > your > log files (esp. catalina.out) that will tell you more about the problem. > > If I'm wrong, then it sounds like it should be easy enough for you to > strip > down your app to something generic (e.g. I don't need to know anything > about > your proprietary Beans), and wrap it up in a war file ("jar cf bug.war > bugapp"), and attach it to a bug report at > http://nagoya.apache.org/bugzilla. > > "Rosaria Silipo" <[EMAIL PROTECTED]> wrote in message > news:[EMAIL PROTECTED] > > > > I am a bit confused. > > I do not have any <servlet-mapping> or <mime-mapping> (do I need > them?) > > and I followed the order as it is in the tutorial. > > Even removing <session-config>, /secure/* is not authenticated and /* > > is. > > > > -- Rosaria > > > > > > -----Original Message----- > > From: news [mailto:[EMAIL PROTECTED] On Behalf Of Bill Barker > > Sent: Tuesday, June 17, 2003 8:16 PM > > To: [EMAIL PROTECTED] > > Subject: Re: problems with web.xml and security > > > > If you check your log files, you should see that it doesn't like your > > web.xml file because <session-config> comes after <servlet-mapping> > and > > before <mime-mapping> (which both come before <security-constraint>). > > Tomcat 4.x is picky about enforcing the order of elements in your > > web.xml > > file (TC 3.3 is as well, at least by default). The result is that > > Tomcat > > stopped reading your file as soon as it got to the <session-config> > > line. > > > > "Rosaria Silipo" <[EMAIL PROTECTED]> wrote in message > > news:[EMAIL PROTECTED] > > > > > > Hi, > > > > > > I am trying to set up Tomcat as a secure web engine. > > > From the tutorial I understood that you should insert the following > > > lines in web.xml and the password protection should work. > > > > > > This works perfectly for files in the root directory (/*), it does > not > > > work for files in subdirectories, like /secure/*. > > > > > > Have you have ever seen this problem before? > > > > > > Thanks for any help > > > > > > -- Rosaria > > > > > > <!DOCTYPE web-app > > > PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN" > > > "http://java.sun.com/dtd/web-app_2_3.dtd";> > > > > > > <web-app> > > > ... > > > > > > <!-- SECURITY CONSTRAINT --> > > > <security-constraint> > > > <web-resource-collection> > > > <web-resource-name>Secure Pages</web-resource-name> > > > <description>Security constraint on all files</description> > > > <url-pattern>/*</url-pattern> > > > <url-pattern>/secure/*</url-pattern> > > > <http-method>POST</http-method> > > > <http-method>GET</http-method> > > > </web-resource-collection> > > > > > > <auth-constraint> > > > <description>admin can login</description> > > > <role-name>admin</role-name> > > > </auth-constraint> > > > > > > <user-data-constraint> > > > <description>SSL not required</description> > > > <transport-guarantee>NONE</transport-guarantee> > > > </user-data-constraint> > > > </security-constraint> > > > > > > <session-config> > > > <session-timeout>30</session-timeout> > > > </session-config> > > > > > > <!-- LOGIN AUTHENTICATION --> > > > > > > <login-config> > > > <auth-method>FORM</auth-method> > > > <realm-name>default</realm-name> > > > <form-login-config> > > > <form-login-page>/LoginForm.html</form-login-page> > > > <form-error-page>/LoginError.html</form-error-page> > > > </form-login-config> > > > > > > </login-config> > > > > > > <!-- SECURITY ROLES --> > > > > > > <security-role> > > > <description>The most secure role</description> > > > <role-name>admin</role-name> > > > </security-role> > > > > > > </web-app> > > > > > > > > > -- Rosaria > > > > > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
