Thanks for responding.  I got that from the web.xml file itself;

> <!--
>    To set up security settings for your web app, create a file named
> web-security.xml, put it in your project's mergedir.
>    Organize web-security.xml following this DTD slice:
>    <!ELEMENT security-constraint (display-name?, web-resource-collection+,
> auth-constraint?, user-data-constraint?)>
>    <!ELEMENT web-resource-collection (web-resource-name, description?,
> url-pattern*, http-method*)>
>    <!ELEMENT web-resource-name (#PCDATA)>
>    <!ELEMENT url-pattern (#PCDATA)>
>    <!ELEMENT http-method (#PCDATA)>
>    <!ELEMENT user-data-constraint (description?, transport-guarantee)>
>    <!ELEMENT transport-guarantee (#PCDATA)>
>    <!ELEMENT login-config (auth-method?, realm-name?, form-login-config?)>
>    <!ELEMENT auth-method (#PCDATA)>
>    <!ELEMENT realm-name (#PCDATA)>
>    <!ELEMENT form-login-config (form-login-page, form-error-page)>
>    <!ELEMENT form-login-page (#PCDATA)>
>    <!ELEMENT form-error-page (#PCDATA)>
>    -->

The only references I can find (including the archives of this list) are
copies of web.xml with those same instructions.  Creating a block that
adheres to that DTD and placing it in the bottom of web.xml (before the
last </web-app> tag) works as expected.

The web.xml file is dynamically generated and so I am left with having to
remember to update the tomcat7/webapps/<app>/WEB-INF/web.xml by hand *after* it
is finished deploying from the <app>.war file.  If I could place it in a
separate static web-security.xml file than it can be packaged in the .war
file and automatically applied whenever the application is deployed.

Thanks again for your help,


On Fri, Jul 19, 2019 at 2:44 PM Christopher Schultz <> wrote:

> Hash: SHA256
> Richard,
> On 7/19/19 11:33, richard coleman wrote:
> > Hi all,
> >
> > Running tomcat 7.0.90, I am trying to add a security block to a
> > struts 1 application to redirect *most* urls to https.  It works
> > fine when I add it to the web.xml file in the
> > webapps/<application>/WEB-INF/web.xml file.
> >
> > That file states that I should be able to add it to a separate
> > web-security.xml file, but when I do so, tomcat *ignores* the
> > web-security.xml file.
> >
> > Is there something that's *not* mentioned that I am forgetting to
> > do to actually get this to work?
> I think you are asking the wrong mailing list. If you are using Struts
> for the redirection, then you want to ask the Struts folks why it's
> not working. You might want to provide en example of your
> configuration when doing so if you post over there.
> You might get crickets in response since you are asking about a
> product that was abandoned years ago. I feel your pain; I still use
> Struts 1.x myself. :(
> I've never heard of web-security.xml. Ever.
> What is it you are trying to configure in web-security.xml that works
> when you put it into web.xml? Why not just put it into web.xml if
> that's where it works?
> - -chris
> Comment: Using GnuPG with Thunderbird -
> pFjuIg/+ND6tguQw6z579Tabcc3movui80Zdva4EEyMzzCaJl0kkvF8wqVdEzErG
> uCOni0gwo3VflY5cdOM8cdAjcoR2iue3LrWOKQKEtuKpTuv6bGPO/HjGUBtKzMnd
> 0tBzohjEofy7IlS3+PhIVczdzKuU44s+SWUojYkQrtGSh2sgjkCfFC2IRisxoAWU
> YF29FARLbimkHDTlhjr0SqeUf5z5rt7l5y7IC8kzA2ipEJQaARfu+x/cQSlivPYd
> vrgOChrNFrqAhBHX5R+5KosL2nGPGT2cWodiVuC567Kyt5+vzp2PNLBKLwS3tT7T
> iOFGjZ3Z3AmctVebWFPEILuyoX9tqz0uZJjjkkeiLHl4d4RkvRAQOqjOyi0TyvNx
> bSenOp0YMp6Sq++lvDSmN3fx1VzoTMbfA4yacCFGLaflzJADO15kVRV/PM8aPAl6
> KPv16DrhGzxMCGVMoccQNxCYl1T0QyJfFJT+ocJVQ9ZRF1ZVd7rylq7RZwocnTh7
> tQptLst5e+SC3mcVvOhU/RLYXdqbstgaM93x8tvYv2jmtV7qmFyTDc/PGxYMr4Nh
> LfvVtyZG0Yq3672FwLgjIsbxMi91fkvGMJbXYkCUJXjvXNl+q8FwrzOJo/aGiXfY
> o0YExXDpKPRVMeEx36UXWjCu+JbFu6SBiX9zBkqt0k1NoC1jplU=
> =3GI8
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> For additional commands, e-mail:

Reply via email to