Thanks Carl, Yes, I tried to see /secure as first thing and I can see it without authentication. I tried to close browser and restart it and I still could see it. Maybe the problem is on the web.xml of /secure. Is it possible?
-- Rosaria -----Original Message----- From: Carl Walker [mailto:[EMAIL PROTECTED] Sent: Tuesday, June 17, 2003 12:56 PM To: Tomcat Users List Subject: Re: problems with web.xml and security I just tested this and wasn't able to see /secadmin without logging-on. Are you closing the browser (possible including mail clients) between trials? If you go from hitting '/' with a successful logon to hitting '/secure', you won't get a second challange. -Carl <web-resource-collection> <web-resource-name>SecadminJsps</web-resource-name> <url-pattern>/*</url-pattern> <url-pattern>/secadmin/*</url-pattern> </web-resource-collection> <auth-constraint> <role-name>secadmin</role-name> </auth-constraint> </security-constraint> Rosaria Silipo wrote: > The second. > I can see the files even without having authenticated. > The funny part is that it works correctly for /* and for sub-directories > that I have not yet created. > > -- Rosaria > > -----Original Message----- > From: Carl Walker [mailto:[EMAIL PROTECTED] > Sent: Tuesday, June 17, 2003 11:37 AM > To: Tomcat Users List > Subject: Re: problems with web.xml and security > > In which way doesn't it work? Are you prohibited from viewing the files > after logging in or can you see the files even if you haven't > authenticated? > > -Carl > > Rosaria Silipo wrote: > > > Hi, > > > > I am trying to set up Tomcat as a secure web engine. > > From the tutorial I understood that you should insert the following > > lines in web.xml and the password protection should work. > > > > This works perfectly for files in the root directory (/*), it does not > > work for files in subdirectories, like /secure/*. > > > > Have you have ever seen this problem before? > > > > Thanks for any help > > > > -- Rosaria > > > > <!DOCTYPE web-app > > PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN" > > "http://java.sun.com/dtd/web-app_2_3.dtd"> > > > > <web-app> > > ... > > > > <!-- SECURITY CONSTRAINT --> > > <security-constraint> > > <web-resource-collection> > > <web-resource-name>Secure Pages</web-resource-name> > > <description>Security constraint on all files</description> > > <url-pattern>/*</url-pattern> > > <url-pattern>/secure/*</url-pattern> > > <http-method>POST</http-method> > > <http-method>GET</http-method> > > </web-resource-collection> > > > > <auth-constraint> > > <description>admin can login</description> > > <role-name>admin</role-name> > > </auth-constraint> > > > > <user-data-constraint> > > <description>SSL not required</description> > > <transport-guarantee>NONE</transport-guarantee> > > </user-data-constraint> > > </security-constraint> > > > > <session-config> > > <session-timeout>30</session-timeout> > > </session-config> > > > > <!-- LOGIN AUTHENTICATION --> > > > > <login-config> > > <auth-method>FORM</auth-method> > > <realm-name>default</realm-name> > > <form-login-config> > > <form-login-page>/LoginForm.html</form-login-page> > > <form-error-page>/LoginError.html</form-error-page> > > </form-login-config> > > > > </login-config> > > > > <!-- SECURITY ROLES --> > > > > <security-role> > > <description>The most secure role</description> > > <role-name>admin</role-name> > > </security-role> > > > > </web-app> > > > > -- Rosaria > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]