On 18/08/2010 14:06, K A wrote: > > Ah, so the web.xaml in /tomcat/conf has nothing to do with the issue - it's > only the web.xml in the project itself?
Authentication should be configured on an app-by-app basis, not in the default web.xml, so yes, that's correct. > I just read that tomcat do not allow write-access to directories. Why would it? Special configuration/functionality is, as André explained, required to enable such a function on most web servers, Tomcat is no exception. > So I guess my main issue in my question is of no concern then as the users > don't have any rights to access the files in the actual directory unless the > files are access through a servlet of jsp-page in this case? Depending on whether your understanding of 'Access' is the same one as the rest of us are using. Web servers publish files to everyone (unless you restrict access), but don't allow those files to be edited (unless you enable it). If you want your user & admin roles to restrict the read access, employ the correct configuration as below. p >> On 18/08/2010 12:16, K A wrote: >>> >>> In /tomcat/Webapps/Projectname/web-inf: >> >> Capitals matter. WEB-INF is the correct directory name. >> >>> I have inserted this part: >>> .... >>> - <!--inserted from her --> >>> - <security-constraint> >>> - <web-resource-collection> >>> <web-resource-name>user open part</web-resource-name> >>> <url-pattern>/Server/user/*</url-pattern> >>> </web-resource-collection> >>> - <auth-constraint> >>> <role-name>user</role-name> >>> <role-name>admin</role-name> >>> </auth-constraint> >>> </security-constraint> >>> - <security-constraint> >>> - <web-resource-collection> >>> <web-resource-name>admin closed part</web-resource-name> >>> <url-pattern>/Server/admin/*</url-pattern> >>> </web-resource-collection> >>> - <auth-constraint> >>> <role-name>admin</role-name> >>> </auth-constraint> >>> </security-constraint> >>> - <login-config> >>> >>> >>> <auth-method>FORM</auth-method> >>> >>> - <form-login-config> >>> <form-login-page>/Server/index.jsp</form-login-page> >>> <form-error-page>/Server/index.jsp</form-error-page> >> >> Paths are relative, I'd also recommend putting two separate files in an >> location that can't be directly requested. e.g. >> >> /WEB-INF/login/form.jsp >> /WEB-INF/login/error.jsp >> >>> </form-login-config> >>> </login-config> >>> >>> - <security-role> >>> <role-name>admin</role-name> >>> <role-name>user</role-name> >>> </security-role> >>> - <!--inserted to here --> >>> >>> - <servlet> >>> ... >>> >>> >>> In /tomcat/Conf/web.xml: >> >> Don't do that. Also, it should be 'conf'. >> >> >> p >> >>> I have inserted this part: >>> ................. >>> >>> >>> <!--inserted from here--> >>> >>> <security-constraint> >>> >>> <web-resource-collection> >>> >>> <web-resource-name>user >>> open part</web-resource-name> >>> >>> <url-pattern>/Server/user/*</url-pattern> >>> >>> </web-resource-collection> >>> >>> <auth-constraint> >>> >>> <role-name>user</role-name> >>> >>> <role-name>admin</role-name> >>> >>> </auth-constraint> >>> >>> </security-constraint> >>> >>> <security-constraint> >>> >>> <web-resource-collection> >>> >>> <web-resource-name>admin >>> closed part</web-resource-name> >>> >>> <url-pattern>/Server/admin/*</url-pattern> >>> >>> </web-resource-collection> >>> >>> <auth-constraint> >>> >>> <role-name>admin</role-name> >>> >>> </auth-constraint> >>> >>> </security-constraint> >>> >>> <login-config> >>> >>> <auth-method>FORM</auth-method> >>> >>> <form-login-config> >>> >>> <form-login-page>/Server/index.jsp</form-login-page> >>> >>> <form-error-page>/Server/index.jsp</form-error-page> >>> >>> </form-login-config> >>> >>> </login-config> >>> >>> <security-role> >>> >>> <role-name>admin</role-name> >>> >>> <role-name>user</role-name> >>> >>> </security-role> >>> >>> <!--inserted to here--> >>> >>> >>> >>> <servlet> >>> >>> >>> <servlet-name>default</servlet-name> >>> >>> >>> <servlet-class>org.apache.catalina.servlets.DefaultServlet</servlet-class> >>> >>> <init-param> >>> >>> ...... >>> >>> >>> >>>> Date: Wed, 18 Aug 2010 12:00:39 +0100 >>>> From: p...@pidster.com >>>> To: users@tomcat.apache.org >>>> Subject: Re: Configure read/write-access in TomCat >>>> >>>> On 18/08/2010 10:44, K A wrote: >>>>> >>>>> Hello >>>>> >>>>> I've developed a web-application in which I'd like to have some control >>>>> of which resources are accessed by whom. My project is called "Server" in >>>>> which I've got 3 directories: "/user" which all roles are allowed to >>>>> access, "/admin" which ONLY administrators are allowed to access and >>>>> "resources" in which I've got some files which users are allowed to read >>>>> and administrators are allowed to both read and write. >>>>> >>>>> I'm using a FORM to login. The form action is "POST" and the action is >>>>> "j_security_check", the username field's name is "j_username" and the >>>>> password field's is "j_password". >>>>> I've implemented a security-check in the jsp-file itself where I'm >>>>> checking for the type of login the current user has. If the type is >>>>> aproved then the user is allowed to access the page. >>>>> >>>>> But when I test the application and try to access the files in the other >>>>> library then I've got access no matter what. This wasn't the intension. >>>>> >>>>> I've tried to follow several tutorials online but no matter what I can't >>>>> get it to work ouf the right way. >>>>> >>>>> I've tried to configure the web.xml manually but it doesn't work. I've >>>>> tried to use the "manager" through the browser but that doesn't seem to >>>>> deliver the possibility to setup those restriction. >>>> >>>> What have you tried? >>>> >>>> >>>>> Can somebody please give me a detailed walkthrough on how to achieve this? >>>>> >>>>> I'm using TomCat 6.0, JVM 1.5.0_20 SUN and Windows XP 5.1.Thankyou very >>>>> much in advance! >>>> >>>> Why do people think it's called 'TomCat'? It's *Tomcat*. >>>> >>>> >>>> p >>>> >>>> >>>>> Best regards, >>>>> Kenneth Andersen >>>>> k_k_ander...@hotmail.com >>>>> >>>> >>> >> >
0x62590808.asc
Description: application/pgp-keys
signature.asc
Description: OpenPGP digital signature
