Re: security constraints in tomcat 4.1.30

2005-06-05 Thread Jo 
Hi Angela,

Not sure why it works fine with Tomcat 5 but followings is my view to the
problem with the login page.

1. The security constraint for the images and CSS tells that the GET and
HEAD methods to these resources ARE protected.
2. When you go to the login page, as it tries to get the protected images
and stylesheet, Tomcat has to redirect the request back to the login page
again.

rgds,
Jo.-

- Original Message - 
From: "Angela Stempfel" <[EMAIL PROTECTED]>
To: 
Sent: Friday, June 03, 2005 4:53 PM
Subject: security constraints in tomcat 4.1.30


> Hello all
>
> I have a problem concerning Tomcat 4.1.30. In web.xml i defined several
> security constraint. First of all I protected the whole application and
> then I excluded the directories with images and css files. Furthermore I
> defined some roles.
>
> 
> 
> TCE GUI
> 
> WEBGui Area
> 
> /*
> 
> 
> 
> *
> 
> 
>
> 
> 
> Images and CSS Not Protected
> /images/*
> /css/*
> GET
> HEAD
> 
> 
>
> 
> DSLAM Configuration
> 
> 
> Access to DSLAM Configuration
> 
> /DslamConfig/*
> 
> 
> dslamConfig
> 
> 
> 
> FORM
> 
> /login.jsp
> /login-error.jsp
> 
> 
>
> 
> dslamConfig
> 
> 
>
> So my problem is that this works fine with Tomcat 5.0 but not with
> Tomcat 4.1.30. If I go to the login page, the stylesheet and images are
> not found when running the Application with version 4.1.30. Also the
> Security Constraints are not working correctly, this means that a user
> that hasn't the role "dslamConfig" is able to enter the following URL:
> /DslamConfig/*
>
> Has anyone some ideas?
>
> Thanks a lot
> Angela
>
> -
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
>
> !DSPAM:429fffc716436437214267!
>
>


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: security constraints in tomcat 4.1.30

2005-06-03 Thread Bill Barker 
Along with what Mark said, you should know that TC 4.1.30 stops checking 
after the *first* matching constraint (so in your case, the '/*' always 
wins).  Try reversing the order of your constraints in web.xml.

As Mark mentioned, this has changed in TC 5.x, and your web.xml should work 
as written.

"Angela Stempfel" <[EMAIL PROTECTED]> wrote in message 
news:[EMAIL PROTECTED]
> Hello all
>
> I have a problem concerning Tomcat 4.1.30. In web.xml i defined several 
> security constraint. First of all I protected the whole application and 
> then I excluded the directories with images and css files. Furthermore I 
> defined some roles.
>
> 
> 
> TCE GUI
> 
> WEBGui Area
> 
> /*
> 
> 
> 
> *
> 
> 
>
> 
> 
> Images and CSS Not Protected
> /images/*
> /css/*
> GET
> HEAD
> 
> 
>
> 
> DSLAM Configuration
> 
> 
> Access to DSLAM Configuration
> 
> /DslamConfig/*
> 
> 
> dslamConfig
> 
> 
> 
> FORM
> 
> /login.jsp
> /login-error.jsp
> 
> 
>
> 
> dslamConfig
> 
> 
>
> So my problem is that this works fine with Tomcat 5.0 but not with Tomcat 
> 4.1.30. If I go to the login page, the stylesheet and images are not found 
> when running the Application with version 4.1.30. Also the Security 
> Constraints are not working correctly, this means that a user that hasn't 
> the role "dslamConfig" is able to enter the following URL: /DslamConfig/*
>
> Has anyone some ideas?
>
> Thanks a lot
> Angela 




-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: security constraints in tomcat 4.1.30

2005-06-03 Thread Mark Thomas 

Angela Stempfel wrote:

Hello all

I have a problem concerning Tomcat 4.1.30. In web.xml i defined several 
security constraint. First of all I protected the whole application and 
then I excluded the directories with images and css files. Furthermore I 
defined some roles.




So my problem is that this works fine with Tomcat 5.0 but not with 
Tomcat 4.1.30. If I go to the login page, the stylesheet and images are 
not found when running the Application with version 4.1.30. Also the 
Security Constraints are not working correctly, this means that a user 
that hasn't the role "dslamConfig" is able to enter the following URL: 
/DslamConfig/*


Has anyone some ideas?


You need to read section SRV.12.8 of both the servlet 2.3 spec and the 
servlet 2.4 spec. The way constraints are handled has changed. For example,


If the authorization constraint defines no roles, no user is allowed 
access to the portion of the web application defined by the security

constraint.


compared to


If no authorization constraint applies to a request, the container must 
accept the request without requiring user authentication.



There is a fair amount of ambiguity in this area of the 2.3 spec, which 
is why it changed so much in 2.4


You should also be aware of 
http://issues.apache.org/bugzilla/show_bug.cgi?id=15570


Mark

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

security constraints in tomcat 4.1.30

2005-06-02 Thread Angela Stempfel 

Hello all

I have a problem concerning Tomcat 4.1.30. In web.xml i defined several 
security constraint. First of all I protected the whole application and 
then I excluded the directories with images and css files. Furthermore I 
defined some roles.




TCE GUI

WEBGui Area

/*



*





Images and CSS Not 
Protected
/images/*
/css/*
GET
HEAD




DSLAM Configuration


Access to DSLAM Configuration

/DslamConfig/*


dslamConfig



FORM

/login.jsp
/login-error.jsp




dslamConfig



So my problem is that this works fine with Tomcat 5.0 but not with 
Tomcat 4.1.30. If I go to the login page, the stylesheet and images are 
not found when running the Application with version 4.1.30. Also the 
Security Constraints are not working correctly, this means that a user 
that hasn't the role "dslamConfig" is able to enter the following URL: 
/DslamConfig/*


Has anyone some ideas?

Thanks a lot
Angela

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: Security constraints for different contexts

2004-07-05 Thread Rahman Syed 
Just wanted to ask this question again...does anyone have any ideas??  I'm 
really stuck here, any good tutorials or resources about security 
constraints would be helpful.  All of the ones I've seen online only handle 
one constraint at a time, I've never seen how they work in terms of "best 
match first" or otherwise.

Thanks,
Rahman
At 7/2/2004 11:47 AM, you wrote:
Hello,
I'm using Tomcat 5.0.25 and I'd like to use container-based security to 
restrict access to one specific page.  The problem is that this page 
exists in different contexts, but using the same docbase.  You can get a 
better idea by looking at the first snippet included below.

You can see that the application itself is installed by default at context 
"/wiki", and there will be additional copies at "/wiki/wikione" and so 
on.  My goal is to restrict /wiki/Edit.jsp to one role, 
/wiki/wikione/Edit.jsp to another role, etc.  The web.xml I'm using right 
now doesn't even prompt for authentication at all; the only time I can get 
it to authorize anything is when I only have one security constraint, for 
url-pattern "/Edit.jsp".

Is there an easy to way to achieve this?  Thanks...
Rahman
Server.xml snippet:
 
  
 override="false"/>
 


The application's web.xml snippet:
   
   
   Protected Area
   /wiki/Edit.jsp
   DELETE
   GET
   POST
   PUT
   
   
   wikiadmin
   
   
   
   
   Protected Area
   /wiki/wikione/Edit.jsp
   DELETE
   GET
   POST
   PUT
   
   
   wikioneadmin
   
   
   
  BASIC
  JSPWiki Editor
   

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Security constraints for different contexts

2004-07-02 Thread Rahman Syed 
Hello,
I'm using Tomcat 5.0.25 and I'd like to use container-based security to 
restrict access to one specific page.  The problem is that this page exists 
in different contexts, but using the same docbase.  You can get a better 
idea by looking at the first snippet included below.

You can see that the application itself is installed by default at context 
"/wiki", and there will be additional copies at "/wiki/wikione" and so 
on.  My goal is to restrict /wiki/Edit.jsp to one role, 
/wiki/wikione/Edit.jsp to another role, etc.  The web.xml I'm using right 
now doesn't even prompt for authentication at all; the only time I can get 
it to authorize anything is when I only have one security constraint, for 
url-pattern "/Edit.jsp".

Is there an easy to way to achieve this?  Thanks...
Rahman
Server.xml snippet:
 
  
 override="false"/>
 


The application's web.xml snippet:
   
   
   Protected Area
   /wiki/Edit.jsp
   DELETE
   GET
   POST
   PUT
   
   
   wikiadmin
   
   
   
   
   Protected Area
   /wiki/wikione/Edit.jsp
   DELETE
   GET
   POST
   PUT
   
   
   wikioneadmin
   
   
   
  BASIC
  JSPWiki Editor
   

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: Tomcat Security Constraints

2004-04-08 Thread QM 
On Thu, Apr 08, 2004 at 06:36:16PM +0200, Malcolm Warren wrote:
: Surely the authorization should be requested in all places and at all 
: times, whereever the request is coming from, even if from an include in an 
: unprotected page?

Clearly not, if it's going through. ;)

My understanding of the spec is that the security constraints are for
the originally-requested URI only.  

It's up to the developers to make sure content doesn't get 'd
or forward()'d to the wrong place.


: It has happened that I forget to type https:// and type http:// instead.
: So if a nasty, mean person is listening in, he can see my password 
: unencrypted, right?

Yes.


: How can I prevent this?

Use all SSL, all the time. -and I'm not being facetious there.  If the
data is that sensitive, why not?

Other than that, I believe there are auth restraints in web.xml that
require SSL auth.  I'd be more specific, but I'm deep into a C++ project
right today so my servlet spec knowledge is a little hazy.


btw, what's wrong with form auth?  I don't recall it requiring that much
extra programming.

-QM

-- 

software  -- http://www.brandxdev.net
tech news -- http://www.RoarNetworX.com


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Tomcat Security Constraints

2004-04-08 Thread Malcolm Warren 
Hi,

I have been using basic authorization with SSL in Tomcat for some time, 
quite satisfactorily.

However I have found what I feel to be some strange behaviour on the part 
of Tomcat (I have 4.1.30) in one case.
Here's an example:
I have a folder, let's say http://www.mysite.com/prot/. I put a 
security-constraint on this folder in web.xml so that it is protected and 
requires basic authorization. So far so good.

But I have discovered that if you include a document from that protected 
folder inside a document from an unprotected folder using a , 
then basic authorization is no longer requested by the browser for the 
protected page.

Surely the authorization should be requested in all places and at all 
times, whereever the request is coming from, even if from an include in an 
unprotected page?

---

This leads on to my second question.
I have been trying to solve one small though potentially dangerous problem 
with Basic Authorization/SSL.
If I want to access a protected area of our site from outside the firewall 
I write an address similar to the following:
https://mysslsite.com/pagerequired.jsp.

It has happened that I forget to type https:// and type http:// instead.
So if a nasty, mean person is listening in, he can see my password 
unencrypted, right?
How can I prevent this? The problem is that the login window with basic 
authorization pops up before you arrive at the page itself.

I thought of FORM authorization, because the .jsp used for the Login form 
can check the port requested (must be 443) and refuse to request the 
password if it's wrong. But FORM authorization requires lots of extra 
programming to give many of the useful extras that BASIC authorization 
offers included (e.g. remembering your user name and password).
Then I thought of including the protected page in an unprotected page that 
checks if you are in https before doing the include. But since Tomcat has 
this strange behaviour I mentioned above, after a couple of days of 
fiddling with this possibility I've had to give that up too.

Anybody got any ideas?

Thanks for your time,
Malcolm Warren
  

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

RE: url-pattern pb in security constraints

2004-03-11 Thread Ralph Einfeldt 
According to the spec (Chapter 11.2):


A string beginning with a â/â character and ending 
with a â/*â postfix is used for path mapping.

A string beginning with a â*.â prefix is used as an 
extension mapping.

A string containing only the â/â character indicates 
the "default" servlet of the application. In this case 
the servlet path is the request URI minus the context
path and the path info is null.

All other strings are used for exact matches only. 


So /pages/*.jsp is not a valid pattern mapping.
It's just *.jsp or /pages/*

> -Original Message-
> From: Boulay Arnaud [mailto:[EMAIL PROTECTED]
> Sent: Thursday, March 11, 2004 10:26 AM
> To: [EMAIL PROTECTED]
> Subject: url-pattern pb in security constraints
> 
> 
>   /pages/secret1/*.jsp
>   /pages/*.jsp
>

url-pattern pb in security constraints

2004-03-11 Thread Boulay Arnaud 
Hello, I'm trying some web.xml security features and think that Catalina 
does'nt perform url pattern very well in some cases (whatever the kind of Realm).

For example :
Roles  : Administrateur and DTN
protected ressources :
 "/pages/secret1/*.jsp" reserved for Administrateur role
 "/pages/*.jsp" reserved for Administrateur and  DTN roles

When the current user has only DTN role, the first pattern is not filtered and 
so the ressource is not protected while if the first pattern is a straightforward 
ressource (say /pages/secret1/myfile.jsp) is correctly safe.
any idea ?
thanks in advance,
Arnaud

web.xml sample :


  
webapp2
/pages/secret1/*.jsp
  
  
   Administrateur
  
 

 
  
webapp1
/pages/*.jsp
  
  
   DTN
   Administrateur

Re: Deploy failure with Tomcat 5.0.16 adding security constraints

2003-12-16 Thread jose 
Remy,

 Thanks... I can't believe how I haven't seen the error

Jose

Remy Maucherat wrote:

jose wrote:

Hi,

  I'm getting the following error log trying to install my webapp in 
tomcat 5.0.16. When I remove the security constraints section
in web.xml the app install and runs ok, but when I restore de 
security section in web.xml I can't install the app.
  I have tested this issue on Tomcat 5.0.16 in windows and linux and 
on Tomcat 4.1.29.
  In my server.xml I'm using JDBCRealm auth method at Engine level. 
It's working fine with, for example, tomcat manager app and
for others apps I'm running. The app uses jakarta struts 1.1 and some 
other taglibs (like request, dbtime and session)


You need something like:
BASIC
in you login-config. The error could be a *lot* better (we should 
check for null, basically).



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: Deploy failure with Tomcat 5.0.16 adding security constraints

2003-12-16 Thread Remy Maucherat 
jose wrote:

Hi,

  I'm getting the following error log trying to install my webapp in 
tomcat 5.0.16. When I remove the security constraints section
in web.xml the app install and runs ok, but when I restore de security 
section in web.xml I can't install the app.
  I have tested this issue on Tomcat 5.0.16 in windows and linux and on 
Tomcat 4.1.29.
  In my server.xml I'm using JDBCRealm auth method at Engine level. It's 
working fine with, for example, tomcat manager app and
for others apps I'm running. The app uses jakarta struts 1.1 and some 
other taglibs (like request, dbtime and session)
You need something like:
BASIC
in you login-config. The error could be a *lot* better (we should check 
for null, basically).

--
x
Rémy Maucherat
Senior Developer & Consultant
JBoss Group (Europe) SàRL
x
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Deploy failure with Tomcat 5.0.16 adding security constraints

2003-12-16 Thread jose 
Hi,

  I'm getting the following error log trying to install my webapp in 
tomcat 5.0.16. When I remove the security constraints section
in web.xml the app install and runs ok, but when I restore de security 
section in web.xml I can't install the app.
  I have tested this issue on Tomcat 5.0.16 in windows and linux and on 
Tomcat 4.1.29.
  In my server.xml I'm using JDBCRealm auth method at Engine level. 
It's working fine with, for example, tomcat manager app and
for others apps I'm running. The app uses jakarta struts 1.1 and some 
other taglibs (like request, dbtime and session)

 The error log is:

16-dic-2003 12:47:32 org.apache.catalina.core.StandardHostDeployer 
install
INFO: Installing web application at context path /netlabor from URL 
jar:file:/C:/j2ee/Tomcat-5.0.16/webapps/netlabor.war!/
16-dic-2003 12:47:34 org.apache.catalina.core.StandardHostDeployer install
INFO: Error installing
java.lang.NullPointerException
   at java.util.Hashtable.get(Unknown Source)
   at java.util.Properties.getProperty(Unknown Source)
   at 
org.apache.catalina.startup.ContextConfig.authenticatorConfig(ContextConfig.java:420)
   at 
org.apache.catalina.startup.ContextConfig.start(ContextConfig.java:651)
   at 
org.apache.catalina.startup.ContextConfig.lifecycleEvent(ContextConfig.java:254)
   at 
org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:166)
   at 
org.apache.catalina.core.StandardContext.start(StandardContext.java:4212)
   at 
org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:866)
   at 
org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:850)
   at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:633)
   at 
org.apache.catalina.core.StandardHostDeployer.install(StandardHostDeployer.java:316)
   at org.apache.catalina.core.StandardHost.install(StandardHost.java:859)
   at 
org.apache.catalina.manager.ManagerServlet.deploy(ManagerServlet.java:927)
   at 
org.apache.catalina.manager.HTMLManagerServlet.deployInternal(HTMLManagerServlet.java:320)
   at 
org.apache.catalina.manager.HTMLManagerServlet.doPost(HTMLManagerServlet.java:300)
   at javax.servlet.http.HttpServlet.service(HttpServlet.java:763)
   at javax.servlet.http.HttpServlet.service(HttpServlet.java:856)
   at 
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:284)
   at 
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:204)
   at 
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:256)
   at 
org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:151)
   at 
org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:564)
   at 
org.apache.catalina.core.StandardContextValve.invokeInternal(StandardContextValve.java:245)
   at 
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:199)
   at 
org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:151)
   at 
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:594)
   at 
org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:149)
   at 
org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:564)
   at 
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:195)
   at 
org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:151)
   at 
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:164)
   at 
org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:149)
   at 
org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:564)
   at 
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:156)
   at 
org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:151)
   at 
org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:564)
   at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:972)
   at 
org.apache.coyote.tomcat5.CoyoteAdapter.service(CoyoteAdapter.java:211)
   at 
org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:805)
   at 
org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.processConnection(Http11Protocol.java:696)
   at 
org.apache.tomcat.util.net.TcpWorkerThread.runIt(PoolTcpEndpoint.java:605)
   at 
org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:677)
   at java.lang.Thread.run(Unknown Source)
16-dic-2003 12:47:35 org.apache.catalina.core.StandardHostDeployer install
INFO: Installing web application at context path /netlabor from URL 
file:C:/j2ee/Tomcat-5.0.16/webapps/netlabor
16-dic-2003 12:47:35 org.apache.catalina.core.StandardHostDeployer install
INFO: Error installing
java.lang.NullPointerException
   at java.util.Hashtable.

Re: servlet mappings and security constraints withj_security_check

2003-10-13 Thread Matthew Do 
How do I delete my name from Tomcat use list? Because I am trying use TOMCAT but it 
does not work well for me at this time. 


Have a good day.

Matthew Do
Seattle City Light
[EMAIL PROTECTED]
(206) 733 - 9022

>>> [EMAIL PROTECTED] 10/13/03 09:29AM >>>
How do I delete my name from Tomcat use list? Because I am trying use TOMCAT but it 
does not work well for me at this time. 

Have a good day.

Matthew Do
Seattle City Light
[EMAIL PROTECTED] 
(206) 733 - 9022

>>> [EMAIL PROTECTED] 10/13/03 09:26AM >>>
I am getting the familiar status 400 - invalid direct reference, and yet 
I am absolutely not surfing to the login page myself.

This is the page I am on:

https://localhost:8443/mywebapp/registerdone.do 

and this is the link I am using:

https://localhost:8443/mywebapp/private/editprofile.do 

This mapping is protected by my security constraints (/private/) and so 
tomcat invokes the j_security_check form, and on submission tomcat gives 
me the 400 status invalid direct reference.

I have the login form and the login error form SSL encrypted.

It works fine for non-HTTPS links.

Here's the web.xml snippet:

   
 
   SSL 4 Login
   /ssllogin.html
   /sslerror.html
 
 
   SSL required
   CONFIDENTIAL
 
   
   
 
   Login
   /private/*
 
 
   user
   admin
 
 
   SSL not required
   NONE
 
   
   
 FORM
 BlackSailRealm
 
   /ssllogin.html
   /sslerror.html
 
   
   
 user
   
   
 admin
   

Does anyone know what I am doing wrong, or has seen this error too?

Thanks
Adam

-- 
struts 1.1 + tomcat 5.0.12 + java 1.4.2
Linux 2.4.20 RH9


-
To unsubscribe, e-mail: [EMAIL PROTECTED] 
For additional commands, e-mail: [EMAIL PROTECTED] 



-
To unsubscribe, e-mail: [EMAIL PROTECTED] 
For additional commands, e-mail: [EMAIL PROTECTED] 



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: servlet mappings and security constraints with j_security_check

2003-10-13 Thread Matthew Do 
How do I delete my name from Tomcat use list? Because I am trying use TOMCAT but it 
does not work well for me at this time. 

Have a good day.

Matthew Do
Seattle City Light
[EMAIL PROTECTED]
(206) 733 - 9022

>>> [EMAIL PROTECTED] 10/13/03 09:26AM >>>
I am getting the familiar status 400 - invalid direct reference, and yet 
I am absolutely not surfing to the login page myself.

This is the page I am on:

https://localhost:8443/mywebapp/registerdone.do 

and this is the link I am using:

https://localhost:8443/mywebapp/private/editprofile.do 

This mapping is protected by my security constraints (/private/) and so 
tomcat invokes the j_security_check form, and on submission tomcat gives 
me the 400 status invalid direct reference.

I have the login form and the login error form SSL encrypted.

It works fine for non-HTTPS links.

Here's the web.xml snippet:

   
 
   SSL 4 Login
   /ssllogin.html
   /sslerror.html
 
 
   SSL required
   CONFIDENTIAL
 
   
   
 
   Login
   /private/*
 
 
   user
   admin
 
 
   SSL not required
   NONE
 
   
   
 FORM
 BlackSailRealm
 
   /ssllogin.html
   /sslerror.html
 
   
   
 user
   
   
 admin
   

Does anyone know what I am doing wrong, or has seen this error too?

Thanks
Adam

-- 
struts 1.1 + tomcat 5.0.12 + java 1.4.2
Linux 2.4.20 RH9


-
To unsubscribe, e-mail: [EMAIL PROTECTED] 
For additional commands, e-mail: [EMAIL PROTECTED] 



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

servlet mappings and security constraints with j_security_check

2003-10-13 Thread Adam Hardy 
I am getting the familiar status 400 - invalid direct reference, and yet 
I am absolutely not surfing to the login page myself.

This is the page I am on:

https://localhost:8443/mywebapp/registerdone.do

and this is the link I am using:

https://localhost:8443/mywebapp/private/editprofile.do

This mapping is protected by my security constraints (/private/) and so 
tomcat invokes the j_security_check form, and on submission tomcat gives 
me the 400 status invalid direct reference.

I have the login form and the login error form SSL encrypted.

It works fine for non-HTTPS links.

Here's the web.xml snippet:

  

  SSL 4 Login
  /ssllogin.html
  /sslerror.html


  SSL required
  CONFIDENTIAL

  
  

  Login
  /private/*


  user
  admin


  SSL not required
  NONE

  
  
FORM
BlackSailRealm

  /ssllogin.html
  /sslerror.html

  
  
user
  
  
admin
  
Does anyone know what I am doing wrong, or has seen this error too?

Thanks
Adam
--
struts 1.1 + tomcat 5.0.12 + java 1.4.2
Linux 2.4.20 RH9
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: Security-constraints - how to forbid all except ...

2003-09-10 Thread Tim Funk 
One workaround is to map EVERYTHING to a set of servlets. Then set your 
Security constraints against the servlets instead of the URL pattern.

-Tim

Chris Rolfe wrote:
Hi,

Does anyone have a way to set security constraints to forbid access to
everything (as the by default) *except* specified files + dirs?
The web.xml snippet below comes very close to doing what I want although it
relies on the order of constraints (ie, it's container-dependent).
The problem with my solution is that incomplete URI's don't have a chance to
be redirected to the welcome file. For example, "mydomain.com/myservlet"
hit's the SecurityConstraint[Forbidden] before being redirected to
index.jsp. 

So to rephrase the question: Is there a way to set security constraints to
forbid access to everything *except* specified files + dirs WITHOUT breaking
the site-root welcome-file redirect? Any workaround to exempt the '/'
redirect (maybe a servlet-mapping??).
Thanks,

Chris 

Tomcat 404 web.xml snippet
---


Public
/index.jsp
/public/*
GET
POST


NONE




Forbidden
Everything else.
/*
GET
POST
PUT
DELETE


none 


NONE


---


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Security-constraints - how to forbid all except ...

2003-09-10 Thread Chris Rolfe 
Hi,

Does anyone have a way to set security constraints to forbid access to
everything (as the by default) *except* specified files + dirs?

The web.xml snippet below comes very close to doing what I want although it
relies on the order of constraints (ie, it's container-dependent).

The problem with my solution is that incomplete URI's don't have a chance to
be redirected to the welcome file. For example, "mydomain.com/myservlet"
hit's the SecurityConstraint[Forbidden] before being redirected to
index.jsp. 

So to rephrase the question: Is there a way to set security constraints to
forbid access to everything *except* specified files + dirs WITHOUT breaking
the site-root welcome-file redirect? Any workaround to exempt the '/'
redirect (maybe a servlet-mapping??).

Thanks,

Chris 

Tomcat 404 web.xml snippet
---


Public
/index.jsp
/public/*
GET
POST


NONE





Forbidden
Everything else.
/*
GET
POST
PUT
DELETE


none 


NONE


---


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Problem with setContentType in https-connection with security-constraints

2002-10-16 Thread Toni . Kielo 

Hi.

I'm having problems with https-connection to tomcat 4.0.2.
I have a jsp-page that sets content-type to application/pdf (with
response.setContentType) and prints the pdf with iText.
This works fine with http-connection and https without
security-constraints.

Has someone tested this? It redirects all http-connections to *.jsp to
https.

Here's my security-settings:

  

   SecurityRestriction
   desc
   *.jsp
   *.pdf
   *.csv
   GET
   POST


   CONFIDENTIAL

  

I hope anyone can tell me if there is a workaround to this.
Thanks in advance,

Toni


--
To unsubscribe, e-mail:   <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>

RE: IIS and security constraints

2002-09-19 Thread Alvin Wang 

Hi! So is there a way for tomcat to share (or retrieve) the authentication
information with IIS?

-Original Message-
From: Reynir Hübner [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, June 26, 2002 11:21 AM
To: Tomcat Users List
Subject: RE: IIS and security constraints



I think you need to have IIS authenticate the users for you, then you can
handle the authenticated user as you wish in your webapplication.

hope it helps
[EMAIL PROTECTED]


> -Original Message-
> From: Sean Dillon [mailto:[EMAIL PROTECTED]]
> Sent: 26. júní 2002 15:17
> To: [EMAIL PROTECTED]
> Subject: IIS and security constraints
>
>
> I developed a site for a client who needs to deploy it on an existing
> IIS server.  I found docs on the web that describe using the
> redirector
> dll, etc., and have gotten IIS to successfully redirect urls to my JSP
> site.  My problem is that the security constraints that work so well
> when running Tomcat standalone or even on the IIS machine via
> port 8080,
> do not work when accessing the site through IIS - there is never any
> login dialog presented by the browser; instead, Tomcat
> redirects to the
> site's 404 error page.
>
> So what do I need to do to use container-managed security while
> deploying Tomcat through IIS?
>
>
>
> --
> To unsubscribe, e-mail:
> <mailto:[EMAIL PROTECTED]>
> For additional commands, e-mail:
> <mailto:[EMAIL PROTECTED]>
>
>

--
To unsubscribe, e-mail:
<mailto:[EMAIL PROTECTED]>
For additional commands, e-mail:
<mailto:[EMAIL PROTECTED]>


--
To unsubscribe, e-mail:   <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>

AW: IIS and security constraints

2002-06-26 Thread Friedli Beat 

You have to add an entry in uriworkermap.properties for the manager app

mit freundlichen Grussen 

Galexis AG 
Beat Friedli . SW-Entwicklung (DDIS/ASW)
Grubenstrasse 11 . CH-3322 Schoenbuehl
tel: +41 (0)31 858 72 32 . fax: +41 (0)31 858 78 81




> -Ursprungliche Nachricht-
> Von: Sean Dillon [mailto:[EMAIL PROTECTED]]
> Gesendet: Mittwoch, 26. Juni 2002 17:17
> An: [EMAIL PROTECTED]
> Betreff: IIS and security constraints
> 
> 
> I developed a site for a client who needs to deploy it on an existing
> IIS server.  I found docs on the web that describe using the 
> redirector
> dll, etc., and have gotten IIS to successfully redirect urls to my JSP
> site.  My problem is that the security constraints that work so well
> when running Tomcat standalone or even on the IIS machine via 
> port 8080,
> do not work when accessing the site through IIS - there is never any
> login dialog presented by the browser; instead, Tomcat 
> redirects to the
> site's 404 error page.
> 
> So what do I need to do to use container-managed security while
> deploying Tomcat through IIS?
> 
> 
> 
> --
> To unsubscribe, e-mail:   
> <mailto:[EMAIL PROTECTED]>
> For additional commands, e-mail: 
> <mailto:[EMAIL PROTECTED]>
> 

--
To unsubscribe, e-mail:   <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>

IIS and security constraints

2002-06-26 Thread Sean Dillon 

I developed a site for a client who needs to deploy it on an existing
IIS server.  I found docs on the web that describe using the redirector
dll, etc., and have gotten IIS to successfully redirect urls to my JSP
site.  My problem is that the security constraints that work so well
when running Tomcat standalone or even on the IIS machine via port 8080,
do not work when accessing the site through IIS - there is never any
login dialog presented by the browser; instead, Tomcat redirects to the
site's 404 error page.

So what do I need to do to use container-managed security while
deploying Tomcat through IIS?



--
To unsubscribe, e-mail:   <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>

Re: security-constraints

2002-06-11 Thread Craig R. McClanahan 



On Tue, 11 Jun 2002, Dennis van den Berg wrote:

> Date: Tue, 11 Jun 2002 13:02:46 +0200
> From: Dennis van den Berg <[EMAIL PROTECTED]>
> Reply-To: Tomcat Users List <[EMAIL PROTECTED]>
> To: [EMAIL PROTECTED]
> Subject: security-constraints
>
> Hi all,
>
> According to the servlet 2.3 specs, the longest path-prefix is used when
> determining which servlet-mapping or which security-constraint is to be
> used.
>

Tomcat actually implements "first matching security constraint", rather
than "longest matching security constraint", so you need to swap the order
of these two in order to get what you want.

Clarifying the rules for this is under discussion for Servlet 2.4.

Craig


> However when I specify the following security-constraint's:
>
>   
> 
>   Collection1
>   /*
> 
> 
>   role1
> 
> 
>   NONE
> 
>   
>   
> 
>   Collection2
>   /view/*
> 
> 
>   role2
> 
> 
>   NONE
> 
>   
>
> A user which is in role2 is denied access to url's which start with /view/*, and it 
>seems that the order in which I specify the security-constraint's mathers?
>
> Am I missing something?
>
> Thanks,
>
>
> --
> To unsubscribe, e-mail:   <mailto:[EMAIL PROTECTED]>
> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
>
>


--
To unsubscribe, e-mail:   <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>

security-constraints

2002-06-11 Thread Dennis van den Berg 

Hi all,

According to the servlet 2.3 specs, the longest path-prefix is used when determining 
which servlet-mapping or which security-constraint is to be used.

However when I specify the following security-constraint's:

  

  Collection1
  /*


  role1


  NONE

  
  

  Collection2
  /view/*


  role2


  NONE

  

A user which is in role2 is denied access to url's which start with /view/*, and it 
seems that the order in which I specify the security-constraint's mathers?

Am I missing something?

Thanks,


--
To unsubscribe, e-mail:   
For additional commands, e-mail:

RE: manager reload not processing new security constraints

2002-05-07 Thread Cox, Charlie 

sorry, I meant web.xml is not reloaded by the manager's 'reload' command.

Charlie

> -Original Message-
> From: Lawlor, Frank [mailto:[EMAIL PROTECTED]]
> Sent: Tuesday, May 07, 2002 1:25 PM
> To: 'Tomcat Users List'
> Subject: RE: manager reload not processing new security constraints
> 
> 
> The application security constraints are in
> its web.xml, not server.xml.
> 
> Does anyone know if reload is supposed to
> process the web.xml?
> 
> Frank Lawlor
> Athens Group, Inc.
> (512) 345-0600 x151
> Athens Group, an employee-owned consulting firm integrating technology
> strategy and software solutions.
> 
> 
> 
> > -Original Message-
> > From: Cox, Charlie [mailto:[EMAIL PROTECTED]]
> > Sent: Monday, May 06, 2002 11:58 AM
> > To: 'Tomcat Users List'
> > Subject: RE: manager reload not processing new security constraints
> > 
> > 
> > I don't think that manager reads server.xml on reload. You 
> can use the
> > manager's stop/start instead.
> > 
> > Charlie
> > 
> > > -Original Message-
> > > From: Lawlor, Frank [mailto:[EMAIL PROTECTED]]
> > > Sent: Monday, May 06, 2002 12:09 PM
> > > To: 'Tomcat (E-mail)'
> > > Subject: manager reload not processing new security constraints
> > > 
> > > 
> > > Tomcat 4.0.3:
> > > 
> > > If I add a security constraint to the web.xml of my application
> > > and do a manager/reload of the app, it claims to have 
> > > restarted the app OK, but the new constraint is not effected.
> > > 
> > > If I restart Tomcat, the new constraint does take effect.
> > > 
> > > Is this a bug in the manger reload?
> > > 
> > > Frank Lawlor
> > > Athens Group, Inc.
> > > (512) 345-0600 x151
> > > Athens Group, an employee-owned consulting firm integrating 
> > technology
> > > strategy and software solutions.
> > > 
> > > 
> > > 
> > > --
> > > To unsubscribe, e-mail:   
> > > <mailto:[EMAIL PROTECTED]>
> > > For additional commands, e-mail: 
> > > <mailto:[EMAIL PROTECTED]>
> > > 
> > 
> > --
> > To unsubscribe, e-mail:   
> > <mailto:[EMAIL PROTECTED]>
> > For additional commands, e-mail: 
> > <mailto:[EMAIL PROTECTED]>
> > 
> > 
> 
> --
> To unsubscribe, e-mail:   
<mailto:[EMAIL PROTECTED]>
For additional commands, e-mail:
<mailto:[EMAIL PROTECTED]>

--
To unsubscribe, e-mail:   <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>

RE: manager reload not processing new security constraints

2002-05-07 Thread Lawlor, Frank 

Charlie,

Your suggestion to use stop/start worked.
I still don't know if reload is supposed
to process the web.xml (would be nice if 
this was made clear), but start/stop does
the job.

Thanks,

Frank Lawlor
Athens Group, Inc.
(512) 345-0600 x151
Athens Group, an employee-owned consulting firm integrating technology
strategy and software solutions.



> -Original Message-
> From: Cox, Charlie [mailto:[EMAIL PROTECTED]]
> Sent: Monday, May 06, 2002 11:58 AM
> To: 'Tomcat Users List'
> Subject: RE: manager reload not processing new security constraints
> 
> 
> I don't think that manager reads server.xml on reload. You can use the
> manager's stop/start instead.
> 
> Charlie
> 
> > -Original Message-
> > From: Lawlor, Frank [mailto:[EMAIL PROTECTED]]
> > Sent: Monday, May 06, 2002 12:09 PM
> > To: 'Tomcat (E-mail)'
> > Subject: manager reload not processing new security constraints
> > 
> > 
> > Tomcat 4.0.3:
> > 
> > If I add a security constraint to the web.xml of my application
> > and do a manager/reload of the app, it claims to have 
> > restarted the app OK, but the new constraint is not effected.
> > 
> > If I restart Tomcat, the new constraint does take effect.
> > 
> > Is this a bug in the manger reload?
> > 
> > Frank Lawlor
> > Athens Group, Inc.
> > (512) 345-0600 x151
> > Athens Group, an employee-owned consulting firm integrating 
> technology
> > strategy and software solutions.
> > 
> > 
> > 
> > --
> > To unsubscribe, e-mail:   
> > <mailto:[EMAIL PROTECTED]>
> > For additional commands, e-mail: 
> > <mailto:[EMAIL PROTECTED]>
> > 
> 
> --
> To unsubscribe, e-mail:   
> <mailto:[EMAIL PROTECTED]>
> For additional commands, e-mail: 
> <mailto:[EMAIL PROTECTED]>
> 
> 

--
To unsubscribe, e-mail:   <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>

RE: manager reload not processing new security constraints

2002-05-07 Thread Lawlor, Frank 

The application security constraints are in
its web.xml, not server.xml.

Does anyone know if reload is supposed to
process the web.xml?

Frank Lawlor
Athens Group, Inc.
(512) 345-0600 x151
Athens Group, an employee-owned consulting firm integrating technology
strategy and software solutions.



> -Original Message-
> From: Cox, Charlie [mailto:[EMAIL PROTECTED]]
> Sent: Monday, May 06, 2002 11:58 AM
> To: 'Tomcat Users List'
> Subject: RE: manager reload not processing new security constraints
> 
> 
> I don't think that manager reads server.xml on reload. You can use the
> manager's stop/start instead.
> 
> Charlie
> 
> > -Original Message-
> > From: Lawlor, Frank [mailto:[EMAIL PROTECTED]]
> > Sent: Monday, May 06, 2002 12:09 PM
> > To: 'Tomcat (E-mail)'
> > Subject: manager reload not processing new security constraints
> > 
> > 
> > Tomcat 4.0.3:
> > 
> > If I add a security constraint to the web.xml of my application
> > and do a manager/reload of the app, it claims to have 
> > restarted the app OK, but the new constraint is not effected.
> > 
> > If I restart Tomcat, the new constraint does take effect.
> > 
> > Is this a bug in the manger reload?
> > 
> > Frank Lawlor
> > Athens Group, Inc.
> > (512) 345-0600 x151
> > Athens Group, an employee-owned consulting firm integrating 
> technology
> > strategy and software solutions.
> > 
> > 
> > 
> > --
> > To unsubscribe, e-mail:   
> > <mailto:[EMAIL PROTECTED]>
> > For additional commands, e-mail: 
> > <mailto:[EMAIL PROTECTED]>
> > 
> 
> --
> To unsubscribe, e-mail:   
> <mailto:[EMAIL PROTECTED]>
> For additional commands, e-mail: 
> <mailto:[EMAIL PROTECTED]>
> 
> 

--
To unsubscribe, e-mail:   <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>

RE: manager reload not processing new security constraints

2002-05-06 Thread Cox, Charlie 

I don't think that manager reads server.xml on reload. You can use the
manager's stop/start instead.

Charlie

> -Original Message-
> From: Lawlor, Frank [mailto:[EMAIL PROTECTED]]
> Sent: Monday, May 06, 2002 12:09 PM
> To: 'Tomcat (E-mail)'
> Subject: manager reload not processing new security constraints
> 
> 
> Tomcat 4.0.3:
> 
> If I add a security constraint to the web.xml of my application
> and do a manager/reload of the app, it claims to have 
> restarted the app OK, but the new constraint is not effected.
> 
> If I restart Tomcat, the new constraint does take effect.
> 
> Is this a bug in the manger reload?
> 
> Frank Lawlor
> Athens Group, Inc.
> (512) 345-0600 x151
> Athens Group, an employee-owned consulting firm integrating technology
> strategy and software solutions.
> 
> 
> 
> --
> To unsubscribe, e-mail:   
> <mailto:[EMAIL PROTECTED]>
> For additional commands, e-mail: 
> <mailto:[EMAIL PROTECTED]>
> 

--
To unsubscribe, e-mail:   <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>

manager reload not processing new security constraints

2002-05-06 Thread Lawlor, Frank 

Tomcat 4.0.3:

If I add a security constraint to the web.xml of my application
and do a manager/reload of the app, it claims to have 
restarted the app OK, but the new constraint is not effected.

If I restart Tomcat, the new constraint does take effect.

Is this a bug in the manger reload?

Frank Lawlor
Athens Group, Inc.
(512) 345-0600 x151
Athens Group, an employee-owned consulting firm integrating technology
strategy and software solutions.



--
To unsubscribe, e-mail:   
For additional commands, e-mail:

Problems Apache 1.3 <-> Tomcat 4.0 and Security Constraints

2002-03-12 Thread Michael Timpe 

Hi,

I have the following problem:

I wrote a web application using a security constraint with auth-method set to 'FORM'. 
Everything works fine.

I now will use Tomcat as the JSP container under Apache. If I access the application 
through Apache, the FORM-based
auth-method of tomcat seems not to work. ("not found error").

Does Apache supports Form-based login in a manner like Tomcat does?

Any ideas?

Greetings

Michael



Michael Timpe
Melchiorstr. 24
50670 Köln
eMail: [EMAIL PROTECTED]

Security constraints with http-method

2002-02-20 Thread Christopher Chan 

Hello,

Does anybody know how to use the security constraint to restrict webdav access to 
authenticated users but let get and post requests get by?

Christopher

Problem with security constraints on /

2001-08-16 Thread Johannes Lehtinen 


Hello, Tomcat users!

Earlier this week I stumbled on the following problem. I already found a
solution to it but I am still not sure whether I had misconfigured things
or whether this is a Tomcat bug that should be filed (didn't find an
existing record). Could someone with more expertise confirm if the
following is correct behaviour according to servlet standard (short
explanation would be nice in that case). I am using Tomcat 3.2.3.

I have a servlet mapped to / (within its application context) and I have
restricted the access to / using the following webapp definition.


- clip -
  
sms-dispatcher
fi.rossum.bg.sms.SMSDispatcher
  

  
sms-dispatcher
/
  

  

  sms-dispatcher
  /


  smscore

  

  
BASIC
smscore
  
- clip -


However, when I point my browser at http://127.0.0.1:8080/smsdispatcher/
Tomcat lets me in without basic authentication! Now, when I do the
following modification...


- clip -
   
 
   sms-dispatcher
-  /
+  /*
 
 
   smscore
- clip -


...everything starts working as expected and I have to provide a user name
and password. Is this really how it is supposed to work?

Thanks for clarifications!

--
Johannes Lehtinen <[EMAIL PROTECTED]>, http://www.iki.fi/jle/

Adding security constraints on a per-server basis

2001-04-25 Thread Scott Kelley 

Hi,

I'm using Tomcat 3.2.1 on Solaris.

Is it possible to add a  tag somewhere so that 
it will apply to the entire server at once? I want to lock down my 
whole development server at once, instead of having to write separate 
web.xml files for each application.

I tried adding a security constraint to the web.xml file in Tomcat's 
conf/web.xml file, in the hope that adding to the "default" servlet 
would make it apply to all servlets, but it didn't seem to work. Is 
it supposed to? If this does work, does anyone have an example?

Thanks,

Scott
-- 
--
Scott Kelley, [EMAIL PROTECTED]
Biology Computing Services, UC San Diego
--

RE: Security Constraints

2001-04-02 Thread DUDGEON 

Depends on what realm you are using. Assuming you are using the default
MemoryRealm, users are defined in $TOMCAT_HOME/conf/tomcat-users.xml
If you are using JDBCRealm then it is presumably assumed that there is an
existing mechanism to manage users/passwords for your database.
If you are usign another Realm, then the chances are you have written it
yourself, so should know the answer ;-)

Tim

> -Original Message-
> From: Martin Mauri [mailto:[EMAIL PROTECTED]]
> Sent: 28 March 2001 19:52
> To: [EMAIL PROTECTED]
> Subject: Security Constraints
> 
> 
> Hi users!
> 
> I'm trying to configure the security constraints with FORM 
> login method.
> I've defined to name the rola as "role1" but where and how do 
> I add users to
> that roles and where do I configure their passwords?
> 
> regards.
> 
> Martin
> 
> 
> Lic. Martin O. Mauri
> Profesion + Auge A.F.J.P
> Parana 666 - Cap. Federal
> TE: (011) 4373-7786/7 int: 422
> [EMAIL PROTECTED]
> www.profesi.com.ar
> 


--
DISCLAIMER: This message contains proprietary
information some or all of which may be
confidential and/or legally privileged. It is for
the intended recipient only who may use and apply
the information only for the intended purpose.
Internet communications are not secure and
therefore the British Biotech group does not
accept legal responsibility for the contents of
this message. Any views or opinions presented are
only those of the author and not those of the
British Biotech group. If you are not the intended
recipient please delete this e-mail and notify the
author immediately by calling ++44 (0)1865 748747;
do not use, disclose, distribute, copy, print or
rely on this e-mail.

Security Constraints

2001-03-28 Thread Martin Mauri 

Hi users!

I'm trying to configure the security constraints with FORM login method.
I've defined to name the rola as "role1" but where and how do I add users to
that roles and where do I configure their passwords?

regards.

Martin


Lic. Martin O. Mauri
Profesion + Auge A.F.J.P
Parana 666 - Cap. Federal
TE: (011) 4373-7786/7 int: 422
[EMAIL PROTECTED]
www.profesi.com.ar

Security Constraints

2000-11-14 Thread Brian Charlton 

Hi

I'm new to Apache/Tomcat so expect a obvious question.

I'm currently designing a multi-tier internet application based upon J2EE
blueprints.  To implement security in J2EE Web Tier the normal approach is
to denote Web Resources (JSPs, Servlets etc) as protected (e.g. form-based
authentication) in the deployment descriptor file for the Web components.

For a web client to access the resources they are forced ( by the J2EE
container) to login to the system by completing a login form.

This is the J2EE approach (I've read).  

I've been advised that Web/Application servers that support J2EE (i.e.
Enterprise Java Beans) are not brilliant at the moment and I should consider
using Apache/Tomcat as a web server and Oracle 8i as my back end database
and J2EE platform to run business logic in EJBs.

If I can't use J2EE Security constraints in the deployment descriptor file
of the web tier, how does Apache/Tomcat authenticate users?

Yours hopefully

Brian


 <> 

 Brian Charlton.vcf