RE: How do I restrict access to webapps applications from browser users?
Another option would be the BadInputFilterValve. I can't really speak to that option as I have not used it. But, maybe someone else has? Darryl __ Do you Yahoo!? Yahoo! Small Business - Try our new resources site! http://smallbusiness.yahoo.com/resources/ - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: How do I restrict access to webapps applications from browser users?
Note that there are also a number of Filters that can implement something similar, with much more fine grained control than the servlet-spec allows for container-managed security. Darryl Wilburn wrote: I lost the thread to this original message, but found what I consider good information. Ike, Here's a link to some information on using security-constraint: http://www.onjava.com/pub/a/onjava/2001/07/24/tomcat.html It also states: "The sub-element defines the authentication method for the defined realm. The possible values are BASIC, DIGEST, and FORM. And the sub-element names the Web resource that this maps to." So it doesn't seem to require BASIC authentication. Darryl __ Do you Yahoo!? Yahoo! Small Business - Try our new resources site! http://smallbusiness.yahoo.com/resources/ - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Robert r. Sanders Chief Technologist iPOV (334) 821-5412 www.ipov.net - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: How do I restrict access to webapps applications from browser users?
Ikonne, Ike wrote: It is more like the last thing you listed below. I know that when fronted with Apache, that can be done, I thought tomcat had similar directory control that apache has without having to setup security constraints. You basically nailed it, I may have to tell my clients to just front tomcat with Apache. How are adding lines of configuration to .htaccess/httpd.conf any different than adding a few lines to web.xml? And for no apparent (to me, anyway) advantage you're going to throw in another couple of pieces of software to be installed, configured and maintained? What exactly is it about Apache httpd "directory control" that you prefer? -- Hassan Schroeder - [EMAIL PROTECTED] Webtuitive Design === (+1) 408-938-0567 === http://webtuitive.com dream. code. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: How do I restrict access to webapps applications from browser users?
Hi Jason, It is more like the last thing you listed below. I know that when fronted with Apache, that can be done, I thought tomcat had similar directory control that apache has without having to setup security constraints. You basically nailed it, I may have to tell my clients to just front tomcat with Apache. Again, thanks for your response -Original Message- From: Jason Bainbridge [mailto:[EMAIL PROTECTED] Sent: Wednesday, April 13, 2005 4:27 PM To: Tomcat Users List Subject: Re: How do I restrict access to webapps applications from browser users? On 4/13/05, Ikonne, Ike <[EMAIL PROTECTED]> wrote: > Hi Darryl, > > Thanks, I thought there was another way to do it other than setting up > security constraints and making users to get the signon page that is > associated with this. > Maybe you need to describe what you are actually trying to achieve by this setup. Are you trying to make it so the content can only be streamed from a JSP/servlet and not accessed directly via the web? (Often done for images and confidential stuff like documents etc) or Are you trying to lock certain users out of certain directories? If you are trying to protect static content you might be best off using Apache and utilising .htaccess files but it all depends what you are trying to do... Regards, -- Jason Bainbridge http://kde.org - [EMAIL PROTECTED] Personal Site - http://jasonbainbridge.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: How do I restrict access to webapps applications from browser users?
On 4/13/05, Ikonne, Ike <[EMAIL PROTECTED]> wrote: > Hi Darryl, > > Thanks, I thought there was another way to do it other than setting up > security constraints and making users to get the signon page that is > associated with this. > Maybe you need to describe what you are actually trying to achieve by this setup. Are you trying to make it so the content can only be streamed from a JSP/servlet and not accessed directly via the web? (Often done for images and confidential stuff like documents etc) or Are you trying to lock certain users out of certain directories? If you are trying to protect static content you might be best off using Apache and utilising .htaccess files but it all depends what you are trying to do... Regards, -- Jason Bainbridge http://kde.org - [EMAIL PROTECTED] Personal Site - http://jasonbainbridge.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: How do I restrict access to webapps applications from browser users?
Hi Darryl, Thanks, I thought there was another way to do it other than setting up security constraints and making users to get the signon page that is associated with this. Thanks, Ike -Original Message- From: Darryl Wilburn [mailto:[EMAIL PROTECTED] Sent: Wednesday, April 13, 2005 4:09 PM To: tomcat-user@jakarta.apache.org Subject: How do I restrict access to webapps applications from browser users? I lost the thread to this original message, but found what I consider good information. Ike, Here's a link to some information on using security-constraint: http://www.onjava.com/pub/a/onjava/2001/07/24/tomcat.html It also states: "The sub-element defines the authentication method for the defined realm. The possible values are BASIC, DIGEST, and FORM. And the sub-element names the Web resource that this maps to." So it doesn't seem to require BASIC authentication. Darryl __ Do you Yahoo!? Yahoo! Small Business - Try our new resources site! http://smallbusiness.yahoo.com/resources/ - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
How do I restrict access to webapps applications from browser users?
I lost the thread to this original message, but found what I consider good information. Ike, Here's a link to some information on using security-constraint: http://www.onjava.com/pub/a/onjava/2001/07/24/tomcat.html It also states: "The sub-element defines the authentication method for the defined realm. The possible values are BASIC, DIGEST, and FORM. And the sub-element names the Web resource that this maps to." So it doesn't seem to require BASIC authentication. Darryl __ Do you Yahoo!? Yahoo! Small Business - Try our new resources site! http://smallbusiness.yahoo.com/resources/ - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: How do I restrict access to webapps applications from browser users?
Ike, All I'm saying is "Here is what works for me." But it seems that you must have some form of authentication as well as a statement of the required role if you want to restrict access to certain users. Fritz -Original Message- From: Ikonne, Ike [mailto:[EMAIL PROTECTED] Sent: Wednesday, April 13, 2005 9:30 AM To: Tomcat Users List Subject: RE: How do I restrict access to webapps applications from browser users? Hi Fritz, So, are you saying that I have to have basic authentication enabled in order to restrict access to certain directories? Thanks, Ike - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: How do I restrict access to webapps applications from browser users?
The best way to insure safety, in my opinion, is to use a front controller that acts as a traffic cop, sending all traffic to a presentation tier kept under WEB-INF. On 4/13/05, Ikonne, Ike <[EMAIL PROTECTED]> wrote: > Hi Fritz, > > So, are you saying that I have to have basic authentication enabled in order > to restrict > access to certain directories? > > Thanks, > > Ike > > > -Original Message- > From: Fritz Schneider [mailto:[EMAIL PROTECTED] > Sent: Wednesday, April 13, 2005 11:04 AM > To: 'Tomcat Users List' > Subject: RE: How do I restrict access to webapps applications from > browser users? > > Ike. > > You need to complete your with authorization, login, > and role information. Here is what works for me: > > > > > Restricted Files > /* > > > >app1 > > > > > > BASIC > My Application > > > > > > The role that is required to log in to the application > > app1 > > > You might also want to check out the single login valve. > > Fritz > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > -- "You can lead a horse to water but you cannot make it float on its back." ~Dakota Jack~ - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: How do I restrict access to webapps applications from browser users?
Hi Fritz, So, are you saying that I have to have basic authentication enabled in order to restrict access to certain directories? Thanks, Ike -Original Message- From: Fritz Schneider [mailto:[EMAIL PROTECTED] Sent: Wednesday, April 13, 2005 11:04 AM To: 'Tomcat Users List' Subject: RE: How do I restrict access to webapps applications from browser users? Ike. You need to complete your with authorization, login, and role information. Here is what works for me: Restricted Files /* app1 BASIC My Application The role that is required to log in to the application app1 You might also want to check out the single login valve. Fritz - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: How do I restrict access to webapps applications from browser users?
Ike. You need to complete your with authorization, login, and role information. Here is what works for me: Restricted Files /* app1 BASIC My Application The role that is required to log in to the application app1 You might also want to check out the single login valve. Fritz - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
How do I restrict access to webapps applications from browser users?
Hi all, I am trying to restrict access to directories under webapps/myapp and I have the following in my WEB-INF/web.xml, but users still can browse through all the directories under webapps/myapp What am I doing wrong? I have the same thing for Jetty webserver and it works. I am running tomcat 4.1 general /html/* /jsp/* /help/* /images/* GET HEAD specific /AdminMain/* GET HEAD POST PUT Thanks, Ike