Greetings -
I am using Tomcat 5.5. I would like to be able to specify different
authentication rules for different url patterns within my web
application. For example in my web.xml file I might have:
<security-constraint>
<web-resource-collection>
<web-resource-name>fnoc1</web-resource-name>
<url-pattern>/s4/nc/fnoc1.txt</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>fn1</role-name>
</auth-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>fnoc2</web-resource-name>
<url-pattern>/s4/nc/fnoc2.txt</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>fn2</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>MyApplicationRealm</realm-name>
</login-config>
Where the the security roles fn1 and fn2 have no common members.
The complete URIs would be:
http://localhost:8080/mycontext/s4/nc/fnoc1.txt
http://localhost:8080/mycontext/s4/nc/fnoc2.txt
Now - this works, for clients that aren't too smart - i.e. they don't
cache anything.
However, if I try it with a browser, once I authenticate for one URI,
then I am locked out of the other one until I successfully "reset"
the browser (purge all caches).
I think the reason is as follows:
In the exchange between Tomcat and the client, Tomcat is sending the
header:
WWW-Authenticate: Basic realm="MyApplicationRealm"
And the client authenticates. When the second URI is accessed Tomcat
sends the the same authentication challenge, with the same WWW-
Authenticate header. The client, having recently authenticated to
this realm-name, resends the authentication information, and, since
it's not valid for that url pattern, the request is denied.
My questions:
- Is that why the browsers are locking out the one URL after the
other has been authenticated?
- Is there a way that I can get Tomcat to give me finer
authentication granularity than this?
- In my reading of the Servlet Specification I didn't see that a
particular webapp couldn't associate multiple authentication realms
with multiple url-patterns. It seems that in the Tomcat world a
webapp appears to be a synonym for a single authentication realm, as
expressed in the HTTP header "WWW-Authenticate". Is that true?
- Is the only way that I can get finer granularity to handle the
authentication in my webapp or in a custom javax.servlet.Filter?
- I have only experimented with BASIC authentication. Do DIGEST and
FORM based authentication allow for different behavior w.r.t. the
<realm-name> attribute in the <login-confg>?
Thanks in advance for your time and input,
Nathan
========================================================
Nathan Potter Oregon State University, COAS
[EMAIL PROTECTED] 104 Ocean. Admin. Bldg.
541 737 2293 voice Corvallis, OR 97331-5503
541 737 2064 fax
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]