security-constraint question/problem
I am trying to configure my application so that everything has to be encrypted. I was able to do that by using the security constraint at the bottom of this message. I've had this working for awhile without a problem. However, now, I want to add an additional restriction. I want to make it so that users can't access .jsp files directly. So, I added an additional security-constraint. However, it doesn't work. The only way I can get the .jsp constraint to work is if I comment out the other one. I've tried changing the order of the constraints and that doesn't make a difference. What am I doing wrong? Why doesn't it merge the two constraints together? It appears to just pick the most general case and go with that one. security-constraint web-resource-collection web-resource-namex/web-resource-name url-pattern*.jsp/url-pattern /web-resource-collection auth-constraint/ /security-constraint security-constraint web-resource-collection web-resource-namey/web-resource-name url-pattern/*/url-pattern /web-resource-collection user-data-constraint transport-guaranteeCONFIDENTIAL/transport-guarantee /user-data-constraint /security-constraint Jon - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: security-constraint question/problem
Jonathan Eric Miller [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] I am trying to configure my application so that everything has to be encrypted. I was able to do that by using the security constraint at the bottom of this message. I've had this working for awhile without a problem. However, now, I want to add an additional restriction. I want to make it so that users can't access .jsp files directly. So, I added an additional security-constraint. However, it doesn't work. The only way I can get the .jsp constraint to work is if I comment out the other one. I've tried changing the order of the constraints and that doesn't make a difference. Since changing the order doesn't do anything, I'm assuming that you are using Tomcat 5. What am I doing wrong? Why doesn't it merge the two constraints together? It appears to just pick the most general case and go with that one. It actually will just pick the most specific case: However, in the Servlet-Spec, '/*' is more specific than '*.jsp'. There really isn't much that Tomcat can do about it, since the 2.4 Servlet-Spec is very specific about how security-constraints are evaluated. My advice is to try and understand the security model in the Servlet-Spec, and then try and work out how to apply it to your specific case. It's likely going to be ugly :(. security-constraint web-resource-collection web-resource-namex/web-resource-name url-pattern*.jsp/url-pattern /web-resource-collection auth-constraint/ /security-constraint security-constraint web-resource-collection web-resource-namey/web-resource-name url-pattern/*/url-pattern /web-resource-collection user-data-constraint transport-guaranteeCONFIDENTIAL/transport-guarantee /user-data-constraint /security-constraint Jon - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
security-constraint question
I have a web application which uses a security-constraint in the deployment descriptor. My lone url-pattern in my web-resource-collection is for my welcome page. This has worked well enough. However, now I wish to access a specific URL, a servlet that produces pdf documents, bypassing the welcome page. My feeling is that this should be added as another url-pattern. However, doing so causes the File Download dialog. ... File name: pdf File type: Adobe Acrobat Control for ActiveX From: server ... Trying to open or save produces an error dialog that states that the requested site is either unavailable or cannot be found. Prior to me adding the url to the servlet, this was not a problem. The pdf simply opened in the adobe plug-in. I'm merely setting the content type to the mime type (application-pdf) and the output stream to the document. Perhaps I need to set more header info, or perhaps my web.xml is wrong. Thanks for the help. My web.xml: ?xml version=1.0 encoding=UTF-8? !DOCTYPE web-app PUBLIC -//Sun Microsystems, Inc.//DTD Web Application 2.3//EN http://java.sun.com/j2ee/dtds/web-app_2_3.dtd; web-app display-nameDigital OR Assistant/display-name descriptionDORA is a multimedia database supporting the OR of the future./description filter filter-nameSet Character Encoding/filter-name filter-classcom.snn.util.filters.SetCharacterEncodingFilter/filter-class init-param param-nameencoding/param-name param-valueUTF-8/param-value /init-param /filter filter filter-nameTimeout Check Filter/filter-name filter-classcom.snn.util.filters.TimeoutCheckFilter/filter-class /filter filter-mapping filter-nameSet Character Encoding/filter-name url-pattern/*/url-pattern /filter-mapping filter-mapping filter-nameTimeout Check Filter/filter-name url-pattern/*/url-pattern /filter-mapping listener listener-classcom.snn.util.listeners.SessionManager/listener-class /listener servlet servlet-nameDora/servlet-name display-nameDora/display-name jsp-file/index.jsp/jsp-file init-param param-namedora.propertyFile/param-name param-valueC:/Program Files/DORAweb/conf/dora.properties/param-value /init-param init-param param-namedora.version/param-name param-value1.2.0/param-value /init-param security-role-ref role-namesurgeon/role-name role-link1/role-link /security-role-ref security-role-ref role-namenon-surgeon/role-name role-link2/role-link /security-role-ref security-role-ref role-nameadmin/role-name role-link3/role-link /security-role-ref /servlet servlet servlet-nameMediaContentHandler/servlet-name display-nameMedia Content Handler/display-name descriptionHandler for retrieving and storing media files into DORA/description servlet-classcom.snn.multimedia.ui.MediaContentHandler/servlet-class init-param param-namedora.propertyFile/param-name param-valueC:/Program Files/DORAweb/conf/dora.properties/param-value /init-param init-param param-namedora.version/param-name param-value1.2.0/param-value /init-param security-role-ref role-namesurgeon/role-name role-link1/role-link /security-role-ref security-role-ref role-namenon-surgeon/role-name role-link2/role-link /security-role-ref security-role-ref role-nameadmin/role-name role-link3/role-link /security-role-ref /servlet servlet servlet-nameDownloadCase/servlet-name display-nameDownload Case/display-name descriptionHandler for downloading case files from DORAweb to client/description servlet-classcom.snn.multimedia.ui.DownloadCase/servlet-class init-param param-namedora.propertyFile/param-name param-valueC:/Program Files/DORAweb/conf/dora.properties/param-value /init-param init-param param-namedora.version/param-name param-value1.2.0/param-value /init-param security-role-ref role-namesurgeon/role-name role-link1/role-link /security-role-ref security-role-ref role-namenon-surgeon/role-name role-link2/role-link /security-role-ref security-role-ref role-nameadmin/role-name role-link3/role-link /security-role-ref /servlet servlet-mapping servlet-nameDora/servlet-name url-pattern/index.jsp/url-pattern /servlet-mapping servlet-mapping servlet-nameMediaContentHandler/servlet-name url-pattern/MediaContentHandler/url-pattern /servlet-mapping servlet-mapping servlet-nameDownloadCase/servlet-name url-pattern/DownloadCase/url-pattern /servlet-mapping session-config session-timeout-1/session-timeout /session-config welcome-file-list welcome-fileindex.jsp/welcome-file
security-constraint question
Hi everybody, Im using the security-constraint feature of Tomcat. Everything works well, but I dont know how to retrieve the login entered during authentication to use it throughout my application... Have you guys done this before ? thx My login page is specified in my web.xml: login-config auth-methodFORM/auth-method realm-nameAutenticacao/realm-name form-login-config form-login-page/login.jsp/form-login-page form-error-page/errorpage.html/form-error-page /form-login-config /login-config
Re: security-constraint question
First of all, I am not sure that you need realm-name in teh web.xml if you user form-based authentication. You may use getRemoteUser() to get the name of the user. --- Giselle Dazzi [EMAIL PROTECTED] wrote: Hi everybody, Im using the security-constraint feature of Tomcat. Everything works well, but I dont know how to retrieve the login entered during authentication to use it throughout my application... Have you guys done this before ? thx My login page is specified in my web.xml: login-config auth-methodFORM/auth-method realm-nameAutenticacao/realm-name form-login-config form-login-page/login.jsp/form-login-page form-error-page/errorpage.html/form-error-page /form-login-config /login-config __ Do you Yahoo!? Protect your identity with Yahoo! Mail AddressGuard http://antispam.yahoo.com/whatsnewfree - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: security-constraint question
Giselle, Im using the security-constraint feature of Tomcat. Everything works well, but I dont know how to retrieve the login entered during authentication to use it throughout my application... Have you guys done this before ? What you want is request.getUserPrincipal(). This will return a java.security.Principal object. You can get the name by calling getName() on that object. Unfortunately, you can't get the role or roles for the user. You have to know the roles beforehand and then use request.isUserInRole to determine wether they are or are not in a given role. :( -chris - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: security-constraint question
See the HttpServletRequest class. (getRemoteUser() or getUserPrincipal()) -Tim Giselle Dazzi wrote: Hi everybody, Im using the security-constraint feature of Tomcat. Everything works well, but I dont know how to retrieve the login entered during authentication to use it throughout my application... Have you guys done this before ? thx My login page is specified in my web.xml: login-config auth-methodFORM/auth-method realm-nameAutenticacao/realm-name form-login-config form-login-page/login.jsp/form-login-page form-error-page/errorpage.html/form-error-page /form-login-config /login-config - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: security-constraint question
Im having a hard time calling those methods, I guess I need to create an object, does anyone have a sample code ? Here's what Im getting now: F:\jakarta-tomcat-4.1.27\work\Standalone\localhost\locadora\menu_jsp.java:58 : non-static method getUserPrincipal() cannot be referenced from a static context java.security.Principal usuarioPrincipal = HttpServletRequestWrapper.getUserPrincipal(); I guess I need to create a HttpServletRequestWrapper object, but the constructor expects a ServletRequest request, and Im kind of lost what that would be - Original Message - From: Christopher Schultz [EMAIL PROTECTED] To: Tomcat Users List [EMAIL PROTECTED] Sent: Tuesday, November 04, 2003 8:58 PM Subject: Re: security-constraint question Giselle, Im using the security-constraint feature of Tomcat. Everything works well, but I dont know how to retrieve the login entered during authentication to use it throughout my application... Have you guys done this before ? What you want is request.getUserPrincipal(). This will return a java.security.Principal object. You can get the name by calling getName() on that object. Unfortunately, you can't get the role or roles for the user. You have to know the roles beforehand and then use request.isUserInRole to determine wether they are or are not in a given role. :( -chris - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: security-constraint question
Thanks guys, I got it... - Original Message - From: Giselle Dazzi [EMAIL PROTECTED] To: Tomcat Users List [EMAIL PROTECTED] Sent: Tuesday, November 04, 2003 10:29 PM Subject: Re: security-constraint question Im having a hard time calling those methods, I guess I need to create an object, does anyone have a sample code ? Here's what Im getting now: F:\jakarta-tomcat-4.1.27\work\Standalone\localhost\locadora\menu_jsp.java:58 : non-static method getUserPrincipal() cannot be referenced from a static context java.security.Principal usuarioPrincipal = HttpServletRequestWrapper.getUserPrincipal(); I guess I need to create a HttpServletRequestWrapper object, but the constructor expects a ServletRequest request, and Im kind of lost what that would be - Original Message - From: Christopher Schultz [EMAIL PROTECTED] To: Tomcat Users List [EMAIL PROTECTED] Sent: Tuesday, November 04, 2003 8:58 PM Subject: Re: security-constraint question Giselle, Im using the security-constraint feature of Tomcat. Everything works well, but I dont know how to retrieve the login entered during authentication to use it throughout my application... Have you guys done this before ? What you want is request.getUserPrincipal(). This will return a java.security.Principal object. You can get the name by calling getName() on that object. Unfortunately, you can't get the role or roles for the user. You have to know the roles beforehand and then use request.isUserInRole to determine wether they are or are not in a given role. :( -chris - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]