On 24/08/17 20:43, James H. H. Lampert wrote: > On 8/24/17, 11:35 AM, Mark Thomas wrote: > >> Tomcat will prevent access to anything in WEB-INF or META_INF. >> Everything else is up to the app to control. >> >> Note: You can place content in WEB-INF and include it from JSPs and >> Servlets (and it will work) but direct access will not. >> >> You might want to take a look in the Servlet spec for security >> constraints. > > Thanks. I've just discovered security constraints, along with some > material on StackExchange's ServerFault board demonstrating how to > create them. It's taken a very large load off my back. > > So far, I've only scratched the surface of the subject. > > Am I correct in understanding that a security constraint in a context's > web.inf only blocks access from outside? That the webapp itself still > has full access to the information?
Correct. > And that if I give it a role name that hasn't been given to anybody in > tomcat-users.xml, then nobody can get in at all? Yes, but even simpler (and with the intention clearer): <auth-constraint/> means deny all access. > Can I set up a security > constraint to just unconditionally deny all outside access, without even > offering a sign-on dialog? If you use the syntax above, yes. Tomcat will return a 403 in this case. If you specify a role no user has, you'll get an authentication dialogue. I can't recommend reading chapter 13 of the servlet spec, particularly section 13.8, enough. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
