http://jakarta.apache.org/tomcat/tomcat-5.5-doc/realm-howto.html Is a start, but doesn't give a how to.
From the web.xml for the examples with added comments.
<!--Starts the section. Located after jsp-config near end of file-->
<security-constraint>
<!--A description for identification by you. In real world might be Salesmen Area. Or Admin Only-->
<display-name>Example Security Constraint</display-name>
<web-resource-collection>
<web-resource-name>Protected Area</web-resource-name>
<!-- Define the context-relative URL(s) to be protected (* may only be used at end of string)-->
<!--Follows file structure in the app. If you need different areas for different people, place in peer folders.-->
<url-pattern>/security/protected/*</url-pattern>
<!-- If you list http methods, only those methods are protected -->
<http-method>DELETE</http-method>
<http-method>GET</http-method>
<http-method>POST</http-method>
<http-method>PUT</http-method>
</web-resource-collection>
<auth-constraint>
<!-- Anyone with one of the listed roles may access this area -->
<role-name>tomcat</role-name>
<role-name>role1</role-name>
</auth-constraint>
</security-constraint>
If you had another area to protect and its location was in /security/safe then create another complete security-constraint and use /security/safe/* as the url-pattern. Then define the role-name for this area for example:
<role-name>tomcat</role-name>
<role-name>role2</role-name>This allows a user of role tomcat to access both areas but only role2 can get pages from safe.
Then define the roles.
<!-- Security roles referenced by this web application -->
<security-role>
<role-name>role1</role-name>
</security-role>
<security-role>
<role-name>role2</role-name>
</security-role>
<security-role>
<role-name>tomcat</role-name>
</security-role>Now where Tomcat goes to look up the user/password to determine the role depends on the method you choose as discussed in the link.
If I have foobarred something, hopefully someone will be nice and correct me nicely.
Doug www.parsonstechnical.com
----- Original Message ----- From: "Jeff Ousley" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Thursday, December 02, 2004 3:24 PM
Subject: basic security tutorial
hello!
does anyone know if there's a tutorial or reference on how to set up basic security using tomcat (5.5)? i'd like to get a better understanding of how to secure particular pages in a webapp.
thanks!
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
