Problem with security?
Hello, I'm new to JSP development (and to dynamic web development as a whole) so please bear with me. I'm investigating using JSP/Java for a project at my workplace. My system (test server, if you will) is a PC running Windows XP Pro and I am using Tomcat 5.5.9. I have a situation where I want to be able to provide user access to an application by determining the identity of the requesting user, without them having to go through a login procedure. Specifically, what I've been trying to do is call the request.getRemoteUser() method to ID the requesting user. When I do so, I keep getting null. After reading in the JSP and Java servlet specifications, I see that this call would return null if the user is not authenticated. Reading further, I get the impression that by default, no authentication is needed to access resources. If a security mechanism is specified in the deployment descriptor (which I take to be my webapps\ROOT\WEB-INF\web.xml file), then authentication would be required. Now, I'm not sure that I understand all the nuances of the terminology (not to mention the technology), but it seems that what I've been trying to do should have worked. The web.xml file indicated above contains only the following (and this is the way it came - I added nothing): ?xml version=1.0 encoding=ISO-8859-1? !-- Copyright 2004 The Apache Software Foundation Licensed under the Apache License, Version 2.0 (the License); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an AS IS BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. -- web-app xmlns=http://java.sun.com/xml/ns/j2ee; xmlns:xsi=http://www.w3.org/2001/XMLSchema-instance; xsi:schemaLocation=http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd; version=2.4 display-nameWelcome to Tomcat/display-name description Welcome to Tomcat /description !-- JSPC servlet mappings start -- servlet servlet-nameorg.apache.jsp.index_jsp/servlet-name servlet-classorg.apache.jsp.index_jsp/servlet-class /servlet servlet-mapping servlet-nameorg.apache.jsp.index_jsp/servlet-name url-pattern/index.jsp/url-pattern /servlet-mapping !-- JSPC servlet mappings end -- /web-app Does anyone have any suggestions as to why this doesn't work -or- any suggestions for an alternate method? Also, in a more general sense, any information regarding good sources of information for learning how to do JSP/Servlet programming (web, books, etc.) would be appreciated. Please keep in mind that I am new at this, so examples of some obscure objective or expert level programming will probably be over my head. Thanks, Joe Gagnon - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Problem with security?
From: Gagnon, Joseph M (US SSA) [mailto:[EMAIL PROTECTED] Subject: Problem with security? I have a situation where I want to be able to provide user access to an application by determining the identity of the requesting user, without them having to go through a login procedure. Those seem to be rather contradictory requirements. How do you expect to determine identity without some form of login? - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Problem with security?
From: Gagnon, Joseph M (US SSA) I have a situation where I want to be able to provide user access to an application by determining the identity of the requesting user, without them having to go through a login procedure. OK. So what identity can the browser present that you wish to discover? Are all your users on Windows, for example, and you wish to discover their Windows username? On UNIX? The way HTTP works is that your servlet has to refuse access to a resource before it can obtain any information at all about the user at the other end of the connection. So at the very least, you'll have to investigate creating a servlet that requires authentication. You can then have some control over the kinds of authentication you say you'll accept, and therefore whether the user's browser tries to satisfy the request behind the scenes or whether it pops up that ugly dialog box requesting a username and password. If you're on Windows and want the user's Windows authentication, take a look at the NTLM Authentication Filter - see http://jcifs.samba.org/src/docs/ntlmhttpauth.html for details. Note that I've never used this and can't help any further than these pointers. - Peter - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Problem with security?
Look into the ServletRequest interface. That interface, which is extended in HttpServletRequest. You can call the getRemoteAddr(), getRemoteHost(), etc. methods. You receive null in your getRemoteUser because the user hasn't been 'authenticated' yet. On 10 Jun 2005, Gagnon, Joseph M (US SSA) wrote: Hello, I'm new to JSP development (and to dynamic web development as a whole) so please bear with me. I'm investigating using JSP/Java for a project at my workplace. My system (test server, if you will) is a PC running Windows XP Pro and I am using Tomcat 5.5.9. I have a situation where I want to be able to provide user access to an application by determining the identity of the requesting user, without them having to go through a login procedure. Specifically, what I've been trying to do is call the request.getRemoteUser() method to ID the requesting user. When I do so, I keep getting null. After reading in the JSP and Java servlet specifications, I see that this call would return null if the user is not authenticated. Reading further, I get the impression that by default, no authentication is needed to access resources. If a security mechanism is specified in the deployment descriptor (which I take to be my webapps\ROOT\WEB-INF\web.xml file), then authentication would be required. Now, I'm not sure that I understand all the nuances of the terminology (not to mention the technology), but it seems that what I've been trying to do should have worked. The web.xml file indicated above contains only the following (and this is the way it came - I added nothing): ?xml version=3D1.0 encoding=3DISO-8859-1? !-- Copyright 2004 The Apache Software Foundation Licensed under the Apache License, Version 2.0 (the License); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an AS IS BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. -- web-app xmlns=3Dhttp://java.sun.com/xml/ns/j2ee; xmlns:xsi=3Dhttp://www.w3.org/2001/XMLSchema-instance; xsi:schemaLocation=3Dhttp://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd; version=3D2.4 display-nameWelcome to Tomcat/display-name description Welcome to Tomcat /description !-- JSPC servlet mappings start -- servlet servlet-nameorg.apache.jsp.index_jsp/servlet-name servlet-classorg.apache.jsp.index_jsp/servlet-class /servlet servlet-mapping servlet-nameorg.apache.jsp.index_jsp/servlet-name url-pattern/index.jsp/url-pattern /servlet-mapping !-- JSPC servlet mappings end -- /web-app Does anyone have any suggestions as to why this doesn't work -or- any suggestions for an alternate method? Also, in a more general sense, any information regarding good sources of information for learning how to do JSP/Servlet programming (web, books, etc.) would be appreciated. Please keep in mind that I am new at this, so examples of some obscure objective or expert level programming will probably be over my head. Thanks, Joe Gagnon - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Problem with security?
I believe I've covered that all in my original message. Read further. -Original Message- From: egan0019 [mailto:[EMAIL PROTECTED] Sent: Friday, June 10, 2005 10:10 AM To: Tomcat Users List Subject: Re: Problem with security? Look into the ServletRequest interface. That interface, which is extended in HttpServletRequest. You can call the getRemoteAddr(), getRemoteHost(), etc. methods. You receive null in your getRemoteUser because the user hasn't been 'authenticated' yet. On 10 Jun 2005, Gagnon, Joseph M (US SSA) wrote: Hello, I'm new to JSP development (and to dynamic web development as a whole) so please bear with me. I'm investigating using JSP/Java for a project at my workplace. My system (test server, if you will) is a PC running Windows XP Pro and I am using Tomcat 5.5.9. I have a situation where I want to be able to provide user access to an application by determining the identity of the requesting user, without them having to go through a login procedure. Specifically, what I've been trying to do is call the request.getRemoteUser() method to ID the requesting user. When I do so, I keep getting null. After reading in the JSP and Java servlet specifications, I see that this call would return null if the user is not authenticated. Reading further, I get the impression that by default, no authentication is needed to access resources. If a security mechanism is specified in the deployment descriptor (which I take to be my webapps\ROOT\WEB-INF\web.xml file), then authentication would be required. Now, I'm not sure that I understand all the nuances of the terminology (not to mention the technology), but it seems that what I've been trying to do should have worked. The web.xml file indicated above contains only the following (and this is the way it came - I added nothing): ?xml version=3D1.0 encoding=3DISO-8859-1? !-- Copyright 2004 The Apache Software Foundation Licensed under the Apache License, Version 2.0 (the License); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an AS IS BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. -- web-app xmlns=3Dhttp://java.sun.com/xml/ns/j2ee; xmlns:xsi=3Dhttp://www.w3.org/2001/XMLSchema-instance; xsi:schemaLocation=3Dhttp://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd; version=3D2.4 display-nameWelcome to Tomcat/display-name description Welcome to Tomcat /description !-- JSPC servlet mappings start -- servlet servlet-nameorg.apache.jsp.index_jsp/servlet-name servlet-classorg.apache.jsp.index_jsp/servlet-class /servlet servlet-mapping servlet-nameorg.apache.jsp.index_jsp/servlet-name url-pattern/index.jsp/url-pattern /servlet-mapping !-- JSPC servlet mappings end -- /web-app Does anyone have any suggestions as to why this doesn't work -or- any suggestions for an alternate method? Also, in a more general sense, any information regarding good sources of information for learning how to do JSP/Servlet programming (web, books, etc.) would be appreciated. Please keep in mind that I am new at this, so examples of some obscure objective or expert level programming will probably be over my head. Thanks, Joe Gagnon - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Problem with security?
I think you have missed the point that you cannot get user information unless the user authenticates. You don't want to have a user authenticate but you want to get user information. These are mutually exclusive tasks. If the user does not authenticate, you can only get the external IP address of the requestor. In order to get user information, you must have the user authenticate. You might have your users sent to a page that gathers the user ID and then store it in a cookie. You cannot count on the browser sending user information because the logged in user may and often is not the actual user. I don't know how you can call it secure if you don't require a key to open the door. You may be encrypted in your transfer over SSL but if you don't have the user log in, you are not secure. Robert S. Harper Information Access Technology, Inc. -Original Message- From: Gagnon, Joseph M (US SSA) [mailto:[EMAIL PROTECTED] Sent: Friday, June 10, 2005 8:43 AM To: Tomcat Users List Subject: RE: Problem with security? I believe I've covered that all in my original message. Read further. -Original Message- From: egan0019 [mailto:[EMAIL PROTECTED] Sent: Friday, June 10, 2005 10:10 AM To: Tomcat Users List Subject: Re: Problem with security? Look into the ServletRequest interface. That interface, which is extended in HttpServletRequest. You can call the getRemoteAddr(), getRemoteHost(), etc. methods. You receive null in your getRemoteUser because the user hasn't been 'authenticated' yet. On 10 Jun 2005, Gagnon, Joseph M (US SSA) wrote: Hello, I'm new to JSP development (and to dynamic web development as a whole) so please bear with me. I'm investigating using JSP/Java for a project at my workplace. My system (test server, if you will) is a PC running Windows XP Pro and I am using Tomcat 5.5.9. I have a situation where I want to be able to provide user access to an application by determining the identity of the requesting user, without them having to go through a login procedure. Specifically, what I've been trying to do is call the request.getRemoteUser() method to ID the requesting user. When I do so, I keep getting null. After reading in the JSP and Java servlet specifications, I see that this call would return null if the user is not authenticated. Reading further, I get the impression that by default, no authentication is needed to access [Robert Harper] [snip] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Problem with security?
Did I not say that I'm new to this? I made no mention to whether or not I was trying to make it secure. This is only meant to be used within my company's intranet and my intention was to take the user account and then compare it with a set of registered users in the application's DB. I am beginning to see that at the very least I need to create some kind of mechanism (although I don't understand yet how to go about that, or how many different ways it can be done) to perform user authentication. If anyone can provide information on how to do this (keep in mind I'm new at this), please let me know. -Original Message- From: Robert Harper [mailto:[EMAIL PROTECTED] Sent: Friday, June 10, 2005 10:59 AM To: 'Tomcat Users List' Subject: RE: Problem with security? I think you have missed the point that you cannot get user information unless the user authenticates. You don't want to have a user authenticate but you want to get user information. These are mutually exclusive tasks. If the user does not authenticate, you can only get the external IP address of the requestor. In order to get user information, you must have the user authenticate. You might have your users sent to a page that gathers the user ID and then store it in a cookie. You cannot count on the browser sending user information because the logged in user may and often is not the actual user. I don't know how you can call it secure if you don't require a key to open the door. You may be encrypted in your transfer over SSL but if you don't have the user log in, you are not secure. Robert S. Harper Information Access Technology, Inc. -Original Message- From: Gagnon, Joseph M (US SSA) [mailto:[EMAIL PROTECTED] Sent: Friday, June 10, 2005 8:43 AM To: Tomcat Users List Subject: RE: Problem with security? I believe I've covered that all in my original message. Read further. -Original Message- From: egan0019 [mailto:[EMAIL PROTECTED] Sent: Friday, June 10, 2005 10:10 AM To: Tomcat Users List Subject: Re: Problem with security? Look into the ServletRequest interface. That interface, which is extended in HttpServletRequest. You can call the getRemoteAddr(), getRemoteHost(), etc. methods. You receive null in your getRemoteUser because the user hasn't been 'authenticated' yet. On 10 Jun 2005, Gagnon, Joseph M (US SSA) wrote: Hello, I'm new to JSP development (and to dynamic web development as a whole) so please bear with me. I'm investigating using JSP/Java for a project at my workplace. My system (test server, if you will) is a PC running Windows XP Pro and I am using Tomcat 5.5.9. I have a situation where I want to be able to provide user access to an application by determining the identity of the requesting user, without them having to go through a login procedure. Specifically, what I've been trying to do is call the request.getRemoteUser() method to ID the requesting user. When I do so, I keep getting null. After reading in the JSP and Java servlet specifications, I see that this call would return null if the user is not authenticated. Reading further, I get the impression that by default, no authentication is needed to access [Robert Harper] [snip] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Problem with security?
Try basic authentication. The browser will cache the user name and password and it will only expire when the browse closes. Read in the documents on how to configure the authentication. You might require authentication for all protocols and use BASIC authentication. This will make it easier for the user with a single login and then they can go wherever you allow them and not have to login again until they close the browser. Robert S. Harper Information Access Technology, Inc. -Original Message- From: Gagnon, Joseph M (US SSA) [mailto:[EMAIL PROTECTED] Sent: Friday, June 10, 2005 9:19 AM To: Tomcat Users List Subject: RE: Problem with security? Did I not say that I'm new to this? I made no mention to whether or not I was trying to make it secure. This is only meant to be used within my company's intranet and my intention was to take the user account and then compare it with a set of registered users in the application's DB. I am beginning to see that at the very least I need to create some kind of mechanism (although I don't understand yet how to go about that, or how many different ways it can be done) to perform user authentication. If anyone can provide information on how to do this (keep in mind I'm new at this), please let me know. -Original Message- From: Robert Harper [mailto:[EMAIL PROTECTED] Sent: Friday, June 10, 2005 10:59 AM To: 'Tomcat Users List' Subject: RE: Problem with security? I think you have missed the point that you cannot get user information unless the user authenticates. You don't want to have a user authenticate but you want to get user information. These are mutually exclusive tasks. If the user does not authenticate, you can only get the external IP address of the requestor. In order to get user information, you must have the user authenticate. You might have your users sent to a page that gathers the user ID and then store it in a cookie. You cannot count on the browser sending user information because the logged in user may and often is not the actual user. I don't know how you can call it secure if you don't require a key to open the door. You may be encrypted in your transfer over SSL but if you don't have the user log in, you are not secure. Robert S. Harper Information Access Technology, Inc. -Original Message- From: Gagnon, Joseph M (US SSA) [mailto:[EMAIL PROTECTED] Sent: Friday, June 10, 2005 8:43 AM To: Tomcat Users List Subject: RE: Problem with security? I believe I've covered that all in my original message. Read further. -Original Message- From: egan0019 [mailto:[EMAIL PROTECTED] Sent: Friday, June 10, 2005 10:10 AM To: Tomcat Users List Subject: Re: Problem with security? Look into the ServletRequest interface. That interface, which is extended in HttpServletRequest. You can call the getRemoteAddr(), getRemoteHost(), etc. methods. You receive null in your getRemoteUser because the user hasn't been 'authenticated' yet. On 10 Jun 2005, Gagnon, Joseph M (US SSA) wrote: Hello, I'm new to JSP development (and to dynamic web development as a whole) so please bear with me. I'm investigating using JSP/Java for a project at my workplace. My system (test server, if you will) is a PC running Windows XP Pro and I am using Tomcat 5.5.9. I have a situation where I want to be able to provide user access to an application by determining the identity of the requesting user, without them having to go through a login procedure. Specifically, what I've been trying to do is call the request.getRemoteUser() method to ID the requesting user. When I do so, I keep getting null. After reading in the JSP and Java servlet specifications, I see that this call would return null if the user is not authenticated. Reading further, I get the impression that by default, no authentication is needed to access [Robert Harper] [snip] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Problem with security?
Hi Joe, To summarize the point that all of these others folks were making; Tomcat by itself has no way of interrogating the operating system of the connecting machine or noticing through the information that it gets from then browser that the user is a particular person. Tomcat can only tell you for sure about the physical connection (IP, and possibly hostname... either of which may be useful to me, but I'll get there in a minute). I don't have the tomcat source in front of me right now, but I'm pretty sure that the getRemoteUser() method is a typical java 'getter' method; the part of tomcat that manages sessions looks at the incoming cookie and notices that this request is part of an existing, validated session and does essentially 'setRemoteUser()'... nothing automagical about it. So, back to what you *can* do. So, you know their IP/host; you could use this to query a windows domain controller, which would be able to report which real user is logged onto which machine -- I believe that's what Pete's suggestion was as well; seems like there's some potential there. You can just trust the IP address or hostname (if physical access to the computer is strong enough authentication for you... it really shouldn't be though, because names/IPs can be changed). So, bottom line, you're gonna have to put some work in. If you *do* find a solution that works, make sure to report it back to the list so that everyone can benefit. Cheers, Patrick On 6/10/05, Gagnon, Joseph M (US SSA) [EMAIL PROTECTED] wrote: Did I not say that I'm new to this? I made no mention to whether or not I was trying to make it secure. This is only meant to be used within my company's intranet and my intention was to take the user account and then compare it with a set of registered users in the application's DB. I am beginning to see that at the very least I need to create some kind of mechanism (although I don't understand yet how to go about that, or how many different ways it can be done) to perform user authentication. If anyone can provide information on how to do this (keep in mind I'm new at this), please let me know. -Original Message- From: Robert Harper [mailto:[EMAIL PROTECTED] Sent: Friday, June 10, 2005 10:59 AM To: 'Tomcat Users List' Subject: RE: Problem with security? I think you have missed the point that you cannot get user information unless the user authenticates. You don't want to have a user authenticate but you want to get user information. These are mutually exclusive tasks. If the user does not authenticate, you can only get the external IP address of the requestor. In order to get user information, you must have the user authenticate. You might have your users sent to a page that gathers the user ID and then store it in a cookie. You cannot count on the browser sending user information because the logged in user may and often is not the actual user. I don't know how you can call it secure if you don't require a key to open the door. You may be encrypted in your transfer over SSL but if you don't have the user log in, you are not secure. Robert S. Harper Information Access Technology, Inc. -Original Message- From: Gagnon, Joseph M (US SSA) [mailto:[EMAIL PROTECTED] Sent: Friday, June 10, 2005 8:43 AM To: Tomcat Users List Subject: RE: Problem with security? I believe I've covered that all in my original message. Read further. -Original Message- From: egan0019 [mailto:[EMAIL PROTECTED] Sent: Friday, June 10, 2005 10:10 AM To: Tomcat Users List Subject: Re: Problem with security? Look into the ServletRequest interface. That interface, which is extended in HttpServletRequest. You can call the getRemoteAddr(), getRemoteHost(), etc. methods. You receive null in your getRemoteUser because the user hasn't been 'authenticated' yet. On 10 Jun 2005, Gagnon, Joseph M (US SSA) wrote: Hello, I'm new to JSP development (and to dynamic web development as a whole) so please bear with me. I'm investigating using JSP/Java for a project at my workplace. My system (test server, if you will) is a PC running Windows XP Pro and I am using Tomcat 5.5.9. I have a situation where I want to be able to provide user access to an application by determining the identity of the requesting user, without them having to go through a login procedure. Specifically, what I've been trying to do is call the request.getRemoteUser() method to ID the requesting user. When I do so, I keep getting null. After reading in the JSP and Java servlet specifications, I see that this call would return null if the user is not authenticated. Reading further, I get the impression that by default, no authentication is needed to access [Robert Harper] [snip] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL
Re: Problem with security?
There are some pretty good resources for getting started on Servlet/JSP stuff; try the O'Reilly books, especially the latest version of their JSP book. I suggest that you need to think of what you are wanting to do in 2 phases: 1. Login 2. Authenticate (using values supplied by login). There are a couple of alternatives if you want to save your user's from having to type in passwords over and over; since I'm kind of bored, here's a brief list: 1. If you're users are on Windows desktops, then NTLM Auth can get the User information from the browser (either IE or Firefox) without the user having to login (see http://jcifs.samba.org/src/docs/ntlmhttpauth.html) 2. If you have then deployed, then you could use client-certificates to authenticate users. 3. You could use a 'remember-me' library (typically uses cookies so that user only has to login once). Gagnon, Joseph M (US SSA) wrote: Did I not say that I'm new to this? I made no mention to whether or not I was trying to make it secure. This is only meant to be used within my company's intranet and my intention was to take the user account and then compare it with a set of registered users in the application's DB. I am beginning to see that at the very least I need to create some kind of mechanism (although I don't understand yet how to go about that, or how many different ways it can be done) to perform user authentication. If anyone can provide information on how to do this (keep in mind I'm new at this), please let me know. -Original Message- From: Robert Harper [mailto:[EMAIL PROTECTED] Sent: Friday, June 10, 2005 10:59 AM To: 'Tomcat Users List' Subject: RE: Problem with security? -- Robert r. Sanders Chief Technologist iPOV (334) 821-5412 www.ipov.net - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Problem with security?
Not if you are using mutually authenticated SSL. On 6/10/05, Caldarale, Charles R [EMAIL PROTECTED] wrote: From: Gagnon, Joseph M (US SSA) [mailto:[EMAIL PROTECTED] Subject: Problem with security? I have a situation where I want to be able to provide user access to an application by determining the identity of the requesting user, without them having to go through a login procedure. Those seem to be rather contradictory requirements. How do you expect to determine identity without some form of login? - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Problem with security?
Gagnon, Joseph M (US SSA) wrote: Did I not say that I'm new to this? I made no mention to whether or not I was trying to make it secure. This is only meant to be used within my company's intranet and my intention was to take the user account and then compare it with a set of registered users in the application's DB. I am beginning to see that at the very least I need to create some kind of mechanism (although I don't understand yet how to go about that, or how many different ways it can be done) to perform user authentication. If anyone can provide information on how to do this (keep in mind I'm new at this), please let me know. HttpServletRequest interface gives you remoteUser() method to determine WHO requested the page. How server gets this is another story. Basically, some sort of authentication has to take place. Keep in mind that in production people usually place Apache as a front-end, which can have benefits in your case. There are several mechanisms available for authentication: - HTTP Basic (both TC and Apache can do this) unencrypted user/pass - HTTP Digest (both TC and Apache can do this) MD5 Digest hashing (secure) - HTTPS Client Certificate (both TC and Apache can do this) - HTTP Negotiate (TC cannot do this, Apache needs mod_krb_auth or similar module, IIS can do it) Basic is supported by all browsers, Digest is not so commonly supported (AFAIK), HTTPS is widely supported. Negotiate is intended for MS Active Directory, since it can go with Kerberos V. It requires advanced sys admin skills to setup, but it will give your users the ability to login to ADS and use those credentials for authentication to your application. Nix. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
xalan problem with security manager
Hi all, I can't make xalan work when I run tomcat with security manager. All I get is java.lang.ExceptionInInitializerError (see stack trace below). It works fine without security manager. Has any of you used xalan on tomcat with secuirity manager? What privileges should I grant to the code? I tried: grant { permission java.util.PropertyPermission *, read; permission java.net.SocketPermission *, connect; permission java.lang.RuntimePermission getClassLoader; }; grant { permission java.io.FilePermission ${catalina.home}/temp/*, read, write, delete; }; But it doesn't help. Any ideas? Thank you very much in advance, Michal. My setup is tomcat 5.0.28 on jdk 1.4.2_06, it behaves the same on win xp or linux. Here's the code: File xmlFileObj = new File(xmlFile); File xslFileObj = new File(xslFile); this.out = out; TransformerFactory tFactory = TransformerFactory.newInstance(); Transformer transformer = tFactory.newTransformer(new StreamSource(xslFileObj)); transformer.setParameter(serviceName, serviceName); transformer.transform(new StreamSource(xmlFileObj), new StreamResult(out)); out.flush(); And the stack trace. javax.servlet.ServletException org.apache.jasper.runtime.PageContextImpl.doHandlePageException(PageCont extImpl.java:825) org.apache.jasper.runtime.PageContextImpl.access$1100(PageContextImpl.ja va:64) org.apache.jasper.runtime.PageContextImpl$12.run(PageContextImpl.java:74 5) java.security.AccessController.doPrivileged(Native Method) org.apache.jasper.runtime.PageContextImpl.handlePageException(PageContex tImpl.java:743) org.apache.jsp.tree_jsp._jspService(tree_jsp.java:98) org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:94) javax.servlet.http.HttpServlet.service(HttpServlet.java:802) org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.ja va:324) org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:292) org.apache.jasper.servlet.JspServlet.service(JspServlet.java:236) javax.servlet.http.HttpServlet.service(HttpServlet.java:802) sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.jav a:39) sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessor Impl.java:25) java.lang.reflect.Method.invoke(Method.java:324) org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:239) java.security.AccessController.doPrivileged(Native Method) javax.security.auth.Subject.doAsPrivileged(Subject.java:500) org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:268) org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.jav a:157) root cause java.lang.ExceptionInInitializerError java.lang.Class.forName0(Native Method) java.lang.Class.forName(Class.java:141) org.apache.xalan.serialize.SerializerFactory.getSerializer(SerializerFac tory.java:131) org.apache.xalan.transformer.TransformerImpl.createResultContentHandler( TransformerImpl.java:1048) org.apache.xalan.transformer.TransformerImpl.createResultContentHandler( TransformerImpl.java:975) org.apache.xalan.transformer.TransformerImpl.transform(TransformerImpl.j ava:1124) org.apache.xalan.transformer.TransformerImpl.transform(TransformerImpl.j ava:1107) circeos.xml.XslHtmlConverter.Display(XslHtmlConverter.java:29) org.apache.jsp.tree_jsp._jspService(tree_jsp.java:84) org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:94) javax.servlet.http.HttpServlet.service(HttpServlet.java:802) org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.ja va:324) org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:292) org.apache.jasper.servlet.JspServlet.service(JspServlet.java:236) javax.servlet.http.HttpServlet.service(HttpServlet.java:802) sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.jav a:39) sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessor Impl.java:25) java.lang.reflect.Method.invoke(Method.java:324) org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:239) java.security.AccessController.doPrivileged(Native Method) javax.security.auth.Subject.doAsPrivileged(Subject.java:500) org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:268) org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.jav a:157) - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional
Re: xalan problem with security manager
Michael- If you suspect the error is related to the security manager, run tomcat with the following environment variable set: export CATALINA_OPTS=-Djava.security.debug=access:failure This will put logging for the security manager in your catalina.out file (or your applications log file if you defined a new logger for your webapp). It will show all the access checks (in short form) and a stack trace and domain that caused the failure when a failure occurs. It will tell you what permission was denied, and the codebase it was denied to. I used it extensively yesterday to set up my security policy. For more info see http://jakarta.apache.org/tomcat/tomcat-5.0-doc/security-manager- howto.html Greg On Jan 14, 2005, at 4:58 AM, Michal Kwiatek wrote: Hi all, I can't make xalan work when I run tomcat with security manager. All I get is java.lang.ExceptionInInitializerError (see stack trace below). It works fine without security manager. Has any of you used xalan on tomcat with secuirity manager? What privileges should I grant to the code? I tried: grant { permission java.util.PropertyPermission *, read; permission java.net.SocketPermission *, connect; permission java.lang.RuntimePermission getClassLoader; }; grant { permission java.io.FilePermission ${catalina.home}/temp/*, read, write, delete; }; But it doesn't help. Any ideas? Thank you very much in advance, Michal. My setup is tomcat 5.0.28 on jdk 1.4.2_06, it behaves the same on win xp or linux. Here's the code: File xmlFileObj = new File(xmlFile); File xslFileObj = new File(xslFile); this.out = out; TransformerFactory tFactory = TransformerFactory.newInstance(); Transformer transformer = tFactory.newTransformer(new StreamSource(xslFileObj)); transformer.setParameter(serviceName, serviceName); transformer.transform(new StreamSource(xmlFileObj), new StreamResult(out)); out.flush(); And the stack trace. javax.servlet.ServletException org.apache.jasper.runtime.PageContextImpl.doHandlePageException(PageCon t extImpl.java:825) org.apache.jasper.runtime.PageContextImpl.access$1100(PageContextImpl.j a va:64) org.apache.jasper.runtime.PageContextImpl$12.run(PageContextImpl.java: 74 5) java.security.AccessController.doPrivileged(Native Method) org.apache.jasper.runtime.PageContextImpl.handlePageException(PageConte x tImpl.java:743) org.apache.jsp.tree_jsp._jspService(tree_jsp.java:98) org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:94) javax.servlet.http.HttpServlet.service(HttpServlet.java:802) org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.j a va:324) org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java: 292) org.apache.jasper.servlet.JspServlet.service(JspServlet.java:236) javax.servlet.http.HttpServlet.service(HttpServlet.java:802) sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.ja v a:39) sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccesso r Impl.java:25) java.lang.reflect.Method.invoke(Method.java:324) org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:239) java.security.AccessController.doPrivileged(Native Method) javax.security.auth.Subject.doAsPrivileged(Subject.java:500) org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java: 268) org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.ja v a:157) root cause java.lang.ExceptionInInitializerError java.lang.Class.forName0(Native Method) java.lang.Class.forName(Class.java:141) org.apache.xalan.serialize.SerializerFactory.getSerializer(SerializerFa c tory.java:131) org.apache.xalan.transformer.TransformerImpl.createResultContentHandler ( TransformerImpl.java:1048) org.apache.xalan.transformer.TransformerImpl.createResultContentHandler ( TransformerImpl.java:975) org.apache.xalan.transformer.TransformerImpl.transform(TransformerImpl. j ava:1124) org.apache.xalan.transformer.TransformerImpl.transform(TransformerImpl. j ava:1107) circeos.xml.XslHtmlConverter.Display(XslHtmlConverter.java:29) org.apache.jsp.tree_jsp._jspService(tree_jsp.java:84) org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:94) javax.servlet.http.HttpServlet.service(HttpServlet.java:802) org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.j a va:324) org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java: 292) org.apache.jasper.servlet.JspServlet.service(JspServlet.java:236) javax.servlet.http.HttpServlet.service(HttpServlet.java:802) sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.ja v a:39) sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccesso r Impl.java:25)
Re: problem with security manager, plesk and mysql (catalina.policy ignored?)
I see now where my problem can be. If I extract the war file to directory ${catalina.home}/psa-webapps/mydomain.com/myapplication/ and insert in the policy file grant codeBase file:${catalina.home}/psa-webapps/mydomain.com/myapplication/ { permission java.net.SocketPermission localhost,resolve; permission java.net.SocketPermission localhost:3306,connect,resolve; }; I can then connect to the database, so I guess my problem is I'm not using the proper syntax in the policy file for the .war I will google for a while :-) Alfonso. El sáb, 30-10-2004 a las 00:21, Alfonso Alba García escribió: Hi everybody, I have problems when connecting to mysql. I'm getting the following exception when trying to connect to a mysql database: (SQLException): java.sql.SQLException: Unable to connect to any hosts due to exception: java.security.AccessControlException: access denied (java.net.SocketPermission localhost resolve) I have read about similar problems in google and tried to modify the catalina.policy without success. I deploy applications via a Plesk web interface which loads my .war file, sets it in /var/tomcat4/psa-wars/mydomain.com/ creates a symlink to the war file in /var/tomcat4/psa-webapps/mydomain.com/ and makes the application available via mydomain.com/myapplication. It works fine except when an application tries to access a mysql database. I´m getting the exception above, even though I tried the following lines in catalina.policy without success (found similar exeptions to this one in google): grant codeBase file:${catalina.home}/psa-webapps/mydomain.com/myapplication/- { permission java.net.SocketPermission localhost,resolve; permission java.net.SocketPermission localhost:3306,connect,resolve; }; grant codeBase file:${catalina.home}/psa-webapps/mydomain.com/myapplication/WEB-INF/lib/mysql-connector-java-3.0.9-stable-bin.jar { permission java.net.SocketPermission localhost,resolve; permission java.net.SocketPermission localhost:3306,connect,resolve; }; I tried both of them one at a time and I restarted tomcat after every modification made to the catalina.policy I´m using tomcat 4.1.24 on a redhat linux Enterprise server, with /mysql-connector-java-3.0.9 and jre 1.4.2. Tomcat and mysql are in the same server. The way I´m trying to access the database in a jsp is conexion = DriverManager.getConnection(jdbc:mysql://localhost/DATABASE?user=USERpassword=PASSWORD); I've checked that the database exists, I can connect to the database from a console as user USER with password PASSWORD. The application works perfectly well in another server (debian woody with tomcat 4.0) where it was not necessary to modify the security policy. I talked to a friend of mine who also knows something about tomcat and told me that to access a database in the same server where tomcat is, it should not be necessary to modify the catalina.policy file. I have some experience with tomcat but i run out of ideas and things to try. Any help to open my eyes would be appreciated. Thanks a lot in advance, Alfonso signature.asc Description: Esta parte del mensaje =?ISO-8859-1?Q?est=E1?= firmada digitalmente
problem with security manager, plesk and mysql (catalina.policy ignored?)
Hi everybody, I have problems when connecting to mysql. I'm getting the following exception when trying to connect to a mysql database: (SQLException): java.sql.SQLException: Unable to connect to any hosts due to exception: java.security.AccessControlException: access denied (java.net.SocketPermission localhost resolve) I have read about similar problems in google and tried to modify the catalina.policy without success. I deploy applications via a Plesk web interface which loads my .war file, sets it in /var/tomcat4/psa-wars/mydomain.com/ creates a symlink to the war file in /var/tomcat4/psa-webapps/mydomain.com/ and makes the application available via mydomain.com/myapplication. It works fine except when an application tries to access a mysql database. I´m getting the exception above, even though I tried the following lines in catalina.policy without success (found similar exeptions to this one in google): grant codeBase file:${catalina.home}/psa-webapps/mydomain.com/myapplication/- { permission java.net.SocketPermission localhost,resolve; permission java.net.SocketPermission localhost:3306,connect,resolve; }; grant codeBase file:${catalina.home}/psa-webapps/mydomain.com/myapplication/WEB-INF/lib/mysql-connector-java-3.0.9-stable-bin.jar { permission java.net.SocketPermission localhost,resolve; permission java.net.SocketPermission localhost:3306,connect,resolve; }; I tried both of them one at a time and I restarted tomcat after every modification made to the catalina.policy I´m using tomcat 4.1.24 on a redhat linux Enterprise server, with /mysql-connector-java-3.0.9 and jre 1.4.2. Tomcat and mysql are in the same server. The way I´m trying to access the database in a jsp is conexion = DriverManager.getConnection(jdbc:mysql://localhost/DATABASE?user=USERpassword=PASSWORD); I've checked that the database exists, I can connect to the database from a console as user USER with password PASSWORD. The application works perfectly well in another server (debian woody with tomcat 4.0) where it was not necessary to modify the security policy. I talked to a friend of mine who also knows something about tomcat and told me that to access a database in the same server where tomcat is, it should not be necessary to modify the catalina.policy file. I have some experience with tomcat but i run out of ideas and things to try. Any help to open my eyes would be appreciated. Thanks a lot in advance, Alfonso signature.asc Description: Esta parte del mensaje =?ISO-8859-1?Q?est=E1?= firmada digitalmente
problem with security-constraint with Tomcat 5
I'm looking into migrating our project from Tomcat 4.1.30 to Tomcat 5.0.28. We're also using Tiles and Struts 1.1. The problem is that Tomcat 5 seems to be confused with a url pattern that works with Tomcat 4. Here's the pertinent parts of web.xml (I get the same results with 2.3 or 2.4 version of web.xml): ... !-- Struts action servlet -- servlet servlet-namestrutsnav/servlet-name servlet-classorg.apache.struts.action.ActionServlet/servlet-class init-param param-nameconfig/param-name param-value/WEB-INF/conf/struts-config.xml/param-value /init-param init-param param-namevalidate/param-name param-valuetrue/param-value /init-param load-on-startup1/load-on-startup /servlet ... servlet-mapping servlet-namestrutsnav/servlet-name url-pattern*.do/url-pattern /servlet-mapping ... !-- JAAS Security Realm config -- security-constraint web-resource-collection web-resource-nameSecure Struts Actions/web-resource-name url-pattern*.sec.do/url-pattern /web-resource-collection auth-constraint role-nameGeneral User/role-name /auth-constraint /security-constraint login-config auth-methodFORM/auth-method form-login-config form-login-page/login.do/form-login-page form-error-page/logininvalid.do/form-error-page /form-login-config /login-config security-role role-nameGeneral User/role-name /security-role ... If I try to access a sec.do Struts action, I just get a blank space in the body of the Tiles layout - I don't get the login form. If I change the url-pattern in web-resource-collection to *.do, then I get the login page. It seems that Tomcat 5 doesn't like two dots in the url pattern. Is this a bug? I also tried to add the following, but it didn't help: servlet-mapping servlet-namestrutsnav/servlet-name url-pattern*.sec.do/url-pattern /servlet-mapping Thanks, Cecile Mercado - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: problem with security-constraint with Tomcat 5
Hi, Could this be something that changed (or rather, was clarified) in the Servlet Spec between version 2.3 (which Tomcat 4.x implements) and 2.4 (which Tomcat 5.x implements)? ;) Yoav Shapira http://www.yoavshapira.com -Original Message- From: Mercado . Maria [mailto:[EMAIL PROTECTED] Sent: Monday, October 18, 2004 10:08 AM To: [EMAIL PROTECTED] Subject: problem with security-constraint with Tomcat 5 I'm looking into migrating our project from Tomcat 4.1.30 to Tomcat 5.0.28. We're also using Tiles and Struts 1.1. The problem is that Tomcat 5 seems to be confused with a url pattern that works with Tomcat 4. Here's the pertinent parts of web.xml (I get the same results with 2.3 or 2.4 version of web.xml): ... !-- Struts action servlet -- servlet servlet-namestrutsnav/servlet-name servlet-classorg.apache.struts.action.ActionServlet/servlet- class init-param param-nameconfig/param-name param-value/WEB-INF/conf/struts-config.xml/param-value /init-param init-param param-namevalidate/param-name param-valuetrue/param-value /init-param load-on-startup1/load-on-startup /servlet ... servlet-mapping servlet-namestrutsnav/servlet-name url-pattern*.do/url-pattern /servlet-mapping ... !-- JAAS Security Realm config -- security-constraint web-resource-collection web-resource-nameSecure Struts Actions/web-resource-name url-pattern*.sec.do/url-pattern /web-resource-collection auth-constraint role-nameGeneral User/role-name /auth-constraint /security-constraint login-config auth-methodFORM/auth-method form-login-config form-login-page/login.do/form-login-page form-error-page/logininvalid.do/form-error-page /form-login-config /login-config security-role role-nameGeneral User/role-name /security-role ... If I try to access a sec.do Struts action, I just get a blank space in the body of the Tiles layout - I don't get the login form. If I change the url-pattern in web-resource-collection to *.do, then I get the login page. It seems that Tomcat 5 doesn't like two dots in the url pattern. Is this a bug? I also tried to add the following, but it didn't help: servlet-mapping servlet-namestrutsnav/servlet-name url-pattern*.sec.do/url-pattern /servlet-mapping Thanks, Cecile Mercado - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] This e-mail, including any attachments, is a confidential business communication, and may contain information that is confidential, proprietary and/or privileged. This e-mail is intended only for the individual(s) to whom it is addressed, and may not be saved, copied, printed, disclosed or used by anyone else. If you are not the(an) intended recipient, please immediately delete this e-mail from your computer system and notify the sender. Thank you. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: problem with security-constraint with Tomcat 5
Thanks for the suggestion, Yoav. I looked but I didn't see anything that stated that a url pattern with 2 dots is illegal. - Cecile Mercado -Original Message- From: Shapira, Yoav [mailto:[EMAIL PROTECTED] Sent: Monday, October 18, 2004 9:12 AM To: Tomcat Users List Subject: RE: problem with security-constraint with Tomcat 5 Hi, Could this be something that changed (or rather, was clarified) in the Servlet Spec between version 2.3 (which Tomcat 4.x implements) and 2.4 (which Tomcat 5.x implements)? ;) Yoav Shapira http://www.yoavshapira.com -Original Message- From: Mercado . Maria [mailto:[EMAIL PROTECTED] Sent: Monday, October 18, 2004 10:08 AM To: [EMAIL PROTECTED] Subject: problem with security-constraint with Tomcat 5 I'm looking into migrating our project from Tomcat 4.1.30 to Tomcat 5.0.28. We're also using Tiles and Struts 1.1. The problem is that Tomcat 5 seems to be confused with a url pattern that works with Tomcat 4. Here's the pertinent parts of web.xml (I get the same results with 2.3 or 2.4 version of web.xml): ... !-- Struts action servlet -- servlet servlet-namestrutsnav/servlet-name servlet-classorg.apache.struts.action.ActionServlet/servlet- class init-param param-nameconfig/param-name param-value/WEB-INF/conf/struts-config.xml/param-value /init-param init-param param-namevalidate/param-name param-valuetrue/param-value /init-param load-on-startup1/load-on-startup /servlet ... servlet-mapping servlet-namestrutsnav/servlet-name url-pattern*.do/url-pattern /servlet-mapping ... !-- JAAS Security Realm config -- security-constraint web-resource-collection web-resource-nameSecure Struts Actions/web-resource-name url-pattern*.sec.do/url-pattern /web-resource-collection auth-constraint role-nameGeneral User/role-name /auth-constraint /security-constraint login-config auth-methodFORM/auth-method form-login-config form-login-page/login.do/form-login-page form-error-page/logininvalid.do/form-error-page /form-login-config /login-config security-role role-nameGeneral User/role-name /security-role ... If I try to access a sec.do Struts action, I just get a blank space in the body of the Tiles layout - I don't get the login form. If I change the url-pattern in web-resource-collection to *.do, then I get the login page. It seems that Tomcat 5 doesn't like two dots in the url pattern. Is this a bug? I also tried to add the following, but it didn't help: servlet-mapping servlet-namestrutsnav/servlet-name url-pattern*.sec.do/url-pattern /servlet-mapping Thanks, Cecile Mercado - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] This e-mail, including any attachments, is a confidential business communication, and may contain information that is confidential, proprietary and/or privileged. This e-mail is intended only for the individual(s) to whom it is addressed, and may not be saved, copied, printed, disclosed or used by anyone else. If you are not the(an) intended recipient, please immediately delete this e-mail from your computer system and notify the sender. Thank you. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: problem with security-constraint with Tomcat 5
On Mon, 18 Oct 2004 10:45:23 -0400, Mercado . Maria [EMAIL PROTECTED] wrote: Thanks for the suggestion, Yoav. I looked but I didn't see anything that stated that a url pattern with 2 dots is illegal. Most systems I am aware of consider that the extension is the last dot. Otherwise, it starts adding complexity. Don't expect a fix (assuming this is indeed a valid issue, which I doubt). -- x Rémy Maucherat Developer Consultant JBoss Group (Europe) SàRL x - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: problem with security-constraint with Tomcat 5
You didn't look hard enough :) spec-quote version=2.4 section=11.1 An extension is defined as the part of the last segment after the last '.' character. /spec-quote - Original Message - From: Mercado . Maria [EMAIL PROTECTED] To: Tomcat Users List [EMAIL PROTECTED] Sent: Monday, October 18, 2004 7:45 AM Subject: RE: problem with security-constraint with Tomcat 5 Thanks for the suggestion, Yoav. I looked but I didn't see anything that stated that a url pattern with 2 dots is illegal. - Cecile Mercado -Original Message- From: Shapira, Yoav [mailto:[EMAIL PROTECTED] Sent: Monday, October 18, 2004 9:12 AM To: Tomcat Users List Subject: RE: problem with security-constraint with Tomcat 5 Hi, Could this be something that changed (or rather, was clarified) in the Servlet Spec between version 2.3 (which Tomcat 4.x implements) and 2.4 (which Tomcat 5.x implements)? ;) Yoav Shapira http://www.yoavshapira.com -Original Message- From: Mercado . Maria [mailto:[EMAIL PROTECTED] Sent: Monday, October 18, 2004 10:08 AM To: [EMAIL PROTECTED] Subject: problem with security-constraint with Tomcat 5 I'm looking into migrating our project from Tomcat 4.1.30 to Tomcat 5.0.28. We're also using Tiles and Struts 1.1. The problem is that Tomcat 5 seems to be confused with a url pattern that works with Tomcat 4. Here's the pertinent parts of web.xml (I get the same results with 2.3 or 2.4 version of web.xml): ... !-- Struts action servlet -- servlet servlet-namestrutsnav/servlet-name servlet-classorg.apache.struts.action.ActionServlet/servlet- class init-param param-nameconfig/param-name param-value/WEB-INF/conf/struts-config.xml/param-value /init-param init-param param-namevalidate/param-name param-valuetrue/param-value /init-param load-on-startup1/load-on-startup /servlet ... servlet-mapping servlet-namestrutsnav/servlet-name url-pattern*.do/url-pattern /servlet-mapping ... !-- JAAS Security Realm config -- security-constraint web-resource-collection web-resource-nameSecure Struts Actions/web-resource-name url-pattern*.sec.do/url-pattern /web-resource-collection auth-constraint role-nameGeneral User/role-name /auth-constraint /security-constraint login-config auth-methodFORM/auth-method form-login-config form-login-page/login.do/form-login-page form-error-page/logininvalid.do/form-error-page /form-login-config /login-config security-role role-nameGeneral User/role-name /security-role ... If I try to access a sec.do Struts action, I just get a blank space in the body of the Tiles layout - I don't get the login form. If I change the url-pattern in web-resource-collection to *.do, then I get the login page. It seems that Tomcat 5 doesn't like two dots in the url pattern. Is this a bug? I also tried to add the following, but it didn't help: servlet-mapping servlet-namestrutsnav/servlet-name url-pattern*.sec.do/url-pattern /servlet-mapping Thanks, Cecile Mercado - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] This e-mail, including any attachments, is a confidential business communication, and may contain information that is confidential, proprietary and/or privileged. This e-mail is intended only for the individual(s) to whom it is addressed, and may not be saved, copied, printed, disclosed or used by anyone else. If you are not the(an) intended recipient, please immediately delete this e-mail from your computer system and notify the sender. Thank you. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] This message is intended only for the use of the person(s) listed above as the intended recipient(s), and may contain information that is PRIVILEGED and CONFIDENTIAL. If you are not an intended recipient, you may not read, copy, or distribute this message or any attachment. If you received this communication in error, please notify us immediately by e-mail and then delete all copies of this message and any attachments. In addition you should be aware that ordinary (unencrypted) e-mail sent through the Internet is not secure. Do not send confidential or sensitive information, such as social security numbers, account numbers, personal identification numbers and passwords, to us via ordinary (unencrypted) e-mail. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
problem with security manager.
I am running Tomcat4.1.30 on windows 2000, with security option turned on. My java application which is using JDK 1.4, connects to the the credit card authorizing company called verisign, and returns the approval authorization code. I have installed the digital certificate on $TOMCAT_HOME\certs directory. There are read permissions on the cert file. But still for some reason the verisign is not able to read the cert file due to the below error. RESULT=-31RESPMSG=The certificate chain did not validate, no local certificate found, java.security.AccessControlException: access denied (java.io.FilePermissi on C:\Program Files\Apache Group\Tomcat 4.1\certs read) However when i run Tomcat server without security, everything is file. Somehow tomcat is restricting the permission to read the cert file. Verisign uses Jsse.jar to do the security authentication. I have modofied both java.policy and catalina.policy to grant permission on the cert file as below. permission java.io.FilePermission C:\\Program Files\\Apache Group\\Tomcat 4.1\\certs\\-, read; But this does not help, is there anything else i should do to the server.xml file... How does the security manager runs in Tomcat4.1 Please help... - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
problem with security manager and manager webapp
Hi. I've been using the manager webapp, but after enabling the security manager (-security on tomcat startup), the manager doesn't run any longer, giving this error: type Exception report message description The server encountered an internal error () that prevented it from fulfilling this request. exception javax.servlet.ServletException: Wrapper cannot find servlet class org.apache.catalina.manager.ManagerServlet or a class it depends on And in the log file, I see that: java.security.AccessControlException: access denied (java.lang.RuntimePermission accessClassInPackage.org.apache.catalina) at java.security.AccessControlContext.checkPermission(AccessControlContext.java:269) at java.security.AccessController.checkPermission(AccessController.java:401) at java.lang.SecurityManager.checkPermission(SecurityManager.java:524) at java.lang.SecurityManager.checkPackageAccess(SecurityManager.java:1491) at java.lang.ClassLoader$1.run(ClassLoader.java:313) at java.security.AccessController.doPrivileged(Native Method) at java.lang.ClassLoader.checkPackageAccess(ClassLoader.java:311) at java.lang.ClassLoader.defineClass0(Native Method) at java.lang.ClassLoader.defineClass(ClassLoader.java:537) at java.security.SecureClassLoader.defineClass(SecureClassLoader.java:123) at org.apache.catalina.loader.WebappClassLoader.findClassInternal(WebappClassLoader.java:1677) at org.apache.catalina.loader.WebappClassLoader.findClass(WebappClassLoader.java:900) at org.apache.catalina.loader.WebappClassLoader.loadClass(WebappClassLoader.java:1350) at org.apache.catalina.loader.WebappClassLoader.loadClass(WebappClassLoader.java:1230) at org.apache.catalina.core.StandardWrapper$1.run(StandardWrapper.java:962) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:958) at org.apache.catalina.core.StandardWrapper.allocate(StandardWrapper.java:712) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:187) at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:151) at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:567) at org.apache.catalina.core.StandardContextValve.invokeInternal(StandardContextValve.java:245) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:199) at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:151) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:587) at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:149) at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:567) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:184) at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:151) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:164) at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:149) --- In the default Catalina.policy file, I see: // libraries installed in the server directory grant codeBase file:${catalina.home}/server/- { permission java.security.AllPermission; }; Why can I not get the manager app to work with the security manager enabled? Thanks, Jason Keltz [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: problem with security manager and manager webapp
Jason Keltz wrote: Hi. I've been using the manager webapp, but after enabling the security manager (-security on tomcat startup), the manager doesn't run any longer, giving this error: type Exception report message description The server encountered an internal error () that prevented it from fulfilling this request. exception javax.servlet.ServletException: Wrapper cannot find servlet class org.apache.catalina.manager.ManagerServlet or a class it depends on And in the log file, I see that: java.security.AccessControlException: access denied (java.lang.RuntimePermission accessClassInPackage.org.apache.catalina) That's abug bug on our side. I will take a look latter today. As a workaround, you can do: permission java.lang.RuntimePermission accessClassInPackage.org.apache.catalina; permission java.lang.RuntimePermission accessClassInPackage.org.apache.catalina; or remove that package in catalina.properties. -- Jeanfrancois at java.security.AccessControlContext.checkPermission(AccessControlContext.java:269) at java.security.AccessController.checkPermission(AccessController.java:401) at java.lang.SecurityManager.checkPermission(SecurityManager.java:524) at java.lang.SecurityManager.checkPackageAccess(SecurityManager.java:1491) at java.lang.ClassLoader$1.run(ClassLoader.java:313) at java.security.AccessController.doPrivileged(Native Method) at java.lang.ClassLoader.checkPackageAccess(ClassLoader.java:311) at java.lang.ClassLoader.defineClass0(Native Method) at java.lang.ClassLoader.defineClass(ClassLoader.java:537) at java.security.SecureClassLoader.defineClass(SecureClassLoader.java:123) at org.apache.catalina.loader.WebappClassLoader.findClassInternal(WebappClassLoader.java:1677) at org.apache.catalina.loader.WebappClassLoader.findClass(WebappClassLoader.java:900) at org.apache.catalina.loader.WebappClassLoader.loadClass(WebappClassLoader.java:1350) at org.apache.catalina.loader.WebappClassLoader.loadClass(WebappClassLoader.java:1230) at org.apache.catalina.core.StandardWrapper$1.run(StandardWrapper.java:962) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:958) at org.apache.catalina.core.StandardWrapper.allocate(StandardWrapper.java:712) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:187) at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:151) at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:567) at org.apache.catalina.core.StandardContextValve.invokeInternal(StandardContextValve.java:245) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:199) at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:151) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:587) at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:149) at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:567) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:184) at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:151) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:164) at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:149) --- In the default Catalina.policy file, I see: // libraries installed in the server directory grant codeBase file:${catalina.home}/server/- { permission java.security.AllPermission; }; Why can I not get the manager app to work with the security manager enabled? Thanks, Jason Keltz [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: problem with security manager and manager webapp
Hi Jeanfrancois, I'm not sure now if it's a bug or not. I realized that the problem is that the code in catalina.policy to allow access refers to ${catalina.home}: // These permissions apply to the container's core code, plus any additional // libraries installed in the server directory grant codeBase file:${catalina.home}/server/- { permission java.security.AllPermission; }; I had copied the server directory to CATALINA_BASE to get the manager app working a while ago. The default context for the manager app refers to ../server, which, of course wouldn't otherwise exist in CATALINA_BASE unless copied. When the conf directory along with Catalina/localhost/manager.xml was copied to CATALINA_BASE, the manager app couldn't be found. I've tried these two things and they both work: 1) Change ${catalina.home}/server to ${catalina.base}/server 2) Get rid of the server directory in CATALINA_BASE, and change the context descriptor for the manager app in the CATALINA_BASE directory to refer to the full path to the manager in CATALINA_HOME. Now, the existing security policy works. Jason. On Tue, 16 Mar 2004, Jeanfrancois Arcand wrote: Jason Keltz wrote: Hi. I've been using the manager webapp, but after enabling the security manager (-security on tomcat startup), the manager doesn't run any longer, giving this error: type Exception report message description The server encountered an internal error () that prevented it from fulfilling this request. exception javax.servlet.ServletException: Wrapper cannot find servlet class org.apache.catalina.manager.ManagerServlet or a class it depends on And in the log file, I see that: java.security.AccessControlException: access denied (java.lang.RuntimePermission accessClassInPackage.org.apache.catalina) That's abug bug on our side. I will take a look latter today. As a workaround, you can do: permission java.lang.RuntimePermission accessClassInPackage.org.apache.catalina; permission java.lang.RuntimePermission accessClassInPackage.org.apache.catalina; or remove that package in catalina.properties. -- Jeanfrancois at java.security.AccessControlContext.checkPermission(AccessControlContext.java:269) at java.security.AccessController.checkPermission(AccessController.java:401) at java.lang.SecurityManager.checkPermission(SecurityManager.java:524) at java.lang.SecurityManager.checkPackageAccess(SecurityManager.java:1491) at java.lang.ClassLoader$1.run(ClassLoader.java:313) at java.security.AccessController.doPrivileged(Native Method) at java.lang.ClassLoader.checkPackageAccess(ClassLoader.java:311) at java.lang.ClassLoader.defineClass0(Native Method) at java.lang.ClassLoader.defineClass(ClassLoader.java:537) at java.security.SecureClassLoader.defineClass(SecureClassLoader.java:123) at org.apache.catalina.loader.WebappClassLoader.findClassInternal(WebappClassLoader.java:1677) at org.apache.catalina.loader.WebappClassLoader.findClass(WebappClassLoader.java:900) at org.apache.catalina.loader.WebappClassLoader.loadClass(WebappClassLoader.java:1350) at org.apache.catalina.loader.WebappClassLoader.loadClass(WebappClassLoader.java:1230) at org.apache.catalina.core.StandardWrapper$1.run(StandardWrapper.java:962) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:958) at org.apache.catalina.core.StandardWrapper.allocate(StandardWrapper.java:712) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:187) at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:151) at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:567) at org.apache.catalina.core.StandardContextValve.invokeInternal(StandardContextValve.java:245) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:199) at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:151) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:587) at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:149) at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:567) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:184) at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:151) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:164) at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:149) --- In the default Catalina.policy file, I see:
Re: problem with security manager and manager webapp
Jason Keltz wrote: Hi Jeanfrancois, I'm not sure now if it's a bug or not. I realized that the problem is that the code in catalina.policy to allow access refers to ${catalina.home}: // These permissions apply to the container's core code, plus any additional // libraries installed in the server directory grant codeBase file:${catalina.home}/server/- { permission java.security.AllPermission; }; I had copied the server directory to CATALINA_BASE to get the manager app working a while ago. The default context for the manager app refers to ../server, which, of course wouldn't otherwise exist in CATALINA_BASE unless copied. When the conf directory along with Catalina/localhost/manager.xml was copied to CATALINA_BASE, the manager app couldn't be found. I've tried these two things and they both work: 1) Change ${catalina.home}/server to ${catalina.base}/server 2) Get rid of the server directory in CATALINA_BASE, and change the context descriptor for the manager app in the CATALINA_BASE directory to refer to the full path to the manager in CATALINA_HOME. Now, the existing security policy works. Yes, except it is not supposed to work like that. I will try to fix it tonigh or tomorrow. Thanks -- Jeanfrancois Jason. On Tue, 16 Mar 2004, Jeanfrancois Arcand wrote: Jason Keltz wrote: Hi. I've been using the manager webapp, but after enabling the security manager (-security on tomcat startup), the manager doesn't run any longer, giving this error: type Exception report message description The server encountered an internal error () that prevented it from fulfilling this request. exception javax.servlet.ServletException: Wrapper cannot find servlet class org.apache.catalina.manager.ManagerServlet or a class it depends on And in the log file, I see that: java.security.AccessControlException: access denied (java.lang.RuntimePermission accessClassInPackage.org.apache.catalina) That's abug bug on our side. I will take a look latter today. As a workaround, you can do: permission java.lang.RuntimePermission accessClassInPackage.org.apache.catalina; permission java.lang.RuntimePermission accessClassInPackage.org.apache.catalina; or remove that package in catalina.properties. -- Jeanfrancois at java.security.AccessControlContext.checkPermission(AccessControlContext.java:269) at java.security.AccessController.checkPermission(AccessController.java:401) at java.lang.SecurityManager.checkPermission(SecurityManager.java:524) at java.lang.SecurityManager.checkPackageAccess(SecurityManager.java:1491) at java.lang.ClassLoader$1.run(ClassLoader.java:313) at java.security.AccessController.doPrivileged(Native Method) at java.lang.ClassLoader.checkPackageAccess(ClassLoader.java:311) at java.lang.ClassLoader.defineClass0(Native Method) at java.lang.ClassLoader.defineClass(ClassLoader.java:537) at java.security.SecureClassLoader.defineClass(SecureClassLoader.java:123) at org.apache.catalina.loader.WebappClassLoader.findClassInternal(WebappClassLoader.java:1677) at org.apache.catalina.loader.WebappClassLoader.findClass(WebappClassLoader.java:900) at org.apache.catalina.loader.WebappClassLoader.loadClass(WebappClassLoader.java:1350) at org.apache.catalina.loader.WebappClassLoader.loadClass(WebappClassLoader.java:1230) at org.apache.catalina.core.StandardWrapper$1.run(StandardWrapper.java:962) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:958) at org.apache.catalina.core.StandardWrapper.allocate(StandardWrapper.java:712) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:187) at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:151) at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:567) at org.apache.catalina.core.StandardContextValve.invokeInternal(StandardContextValve.java:245) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:199) at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:151) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:587) at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:149) at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:567) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:184) at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:151) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:164) at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:149) --- In the default Catalina.policy file,
problem configuring security appn with Netscape Directory Structure
hi I am trying to run the sample security example (i.e http://localhost:8080/examples/jsp/security/protected/) using netscape directory structure.I can connect to ldap but while trying to connect to the application I receive an invalid user or password error. I have successfully connected through an ldap browser. Netscape Directory server has been configured to use the SHA algorithm for encrypting the passwords.I read some previous archives which suggests that there is some problem while comparing the passwords.I have tried removing passwords but still it throws the same error. Can anyone give me some direction on this.??? I have pasted below the realm configuration and a sample entry in the ldap. I have used the sample entry given by the tomcat site. Thanks in advance Jay Realm className=org.apache.catalina.realm.JNDIRealm debug=99 connectionName=cn=tomcat,o=abc.org connectionPassword=tomcat connectionURL=ldap://abc2.xyz.org:8389/o=abc.org; roleBase=cn=roles,o=abc.org roleName=cn roleSearch=(uniqueMember={0}) roleSubtree=false userPassword=userpassword userPattern=cn={0},o=abc.org digest=SHA/ ldap entry : # Define a user named 'tomcat' dn: cn=tomcat,o=abc.org cn: tomcat userpassword: tomcat sn: Tomcat User objectClass: person -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED]
Problem with security constraints on /
Hello, Tomcat users! Earlier this week I stumbled on the following problem. I already found a solution to it but I am still not sure whether I had misconfigured things or whether this is a Tomcat bug that should be filed (didn't find an existing record). Could someone with more expertise confirm if the following is correct behaviour according to servlet standard (short explanation would be nice in that case). I am using Tomcat 3.2.3. I have a servlet mapped to / (within its application context) and I have restricted the access to / using the following webapp definition. - clip - servlet servlet-namesms-dispatcher/servlet-name servlet-classfi.rossum.bg.sms.SMSDispatcher/servlet-class /servlet servlet-mapping servlet-namesms-dispatcher/servlet-name url-pattern//url-pattern /servlet-mapping security-constraint web-resource-collection web-resource-namesms-dispatcher/web-resource-name url-pattern//url-pattern /web-resource-collection auth-constraint role-namesmscore/role-name /auth-constraint /security-constraint login-config auth-methodBASIC/auth-method realm-namesmscore/realm-name /login-config - clip - However, when I point my browser at http://127.0.0.1:8080/smsdispatcher/ Tomcat lets me in without basic authentication! Now, when I do the following modification... - clip - security-constraint web-resource-collection web-resource-namesms-dispatcher/web-resource-name - url-pattern//url-pattern + url-pattern/*/url-pattern /web-resource-collection auth-constraint role-namesmscore/role-name - clip - ...everything starts working as expected and I have to provide a user name and password. Is this really how it is supposed to work? Thanks for clarifications! -- Johannes Lehtinen [EMAIL PROTECTED], http://www.iki.fi/jle/