On 24/08/17 20:43, James H. H. Lampert wrote:
> On 8/24/17, 11:35 AM, Mark Thomas wrote:
>> Tomcat will prevent access to anything in WEB-INF or META_INF.
>> Everything else is up to the app to control.
>> Note: You can place content in WEB-INF and include it from JSPs and
>> Servlets (and it will work) but direct access will not.
>> You might want to take a look in the Servlet spec for security
>> constraints.
> Thanks. I've just discovered security constraints, along with some
> material on StackExchange's ServerFault board demonstrating how to
> create them. It's taken a very large load off my back.
> So far, I've only scratched the surface of the subject.
> Am I correct in understanding that a security constraint in a context's
> web.inf only blocks access from outside? That the webapp itself still
> has full access to the information?


> And that if I give it a role name that hasn't been given to anybody in
> tomcat-users.xml, then nobody can get in at all?

Yes, but even simpler (and with the intention clearer):


means deny all access.

> Can I set up a security
> constraint to just unconditionally deny all outside access, without even
> offering a sign-on dialog?

If you use the syntax above, yes. Tomcat will return a 403 in this case.

If you specify a role no user has, you'll get an authentication dialogue.

I can't recommend reading chapter 13 of the servlet spec, particularly
section 13.8, enough.


To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to