Win a copy of The Little Book of Impediments (e-book only) this week in the Agile and Other Processes forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Setting up security in tomcat

 
Roger Yates
Ranch Hand
Posts: 118
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I'm trying to test out some of the security aspects mentioned in HFS, but have not yet managed to persuade Tomcat 5.0.28 to prompt me for security or disallow me from doing anything.
My DD has the following:


The file tomcat-users.xml has the above roles defined. I've tried stop/starting Tomcat to no avail.

Invoking localhost:8080/testSec/myTest.do merrily gives me access when I thought <auth-constraint></auth-constraint> should deny it all.

Have I missed something?
 
Praful Thakare
Ranch Hand
Posts: 643
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I guess you missed dot(.) between myTest and * in
<url-pattern>/myTest*</url-pattern>

just an wilde guess..let me know if it works after above fix

Cheers
Praful
 
Roger Yates
Ranch Hand
Posts: 118
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Being a pattern match it ought to work either way. Nevertheless, I tried it and still no joy.
 
Kathy Sierra
Cowgirl and Author
Rancher
Posts: 1589
5
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Howdy--
I think your URL pattern is still not quite right...

You really need to use one of these three types:

1) Exact match /MyApp/myTest.do

2) Directory match /MyApp/SomeSubDir/* <-- so, you need a slash before the star

3) Extension match *.do <-- everything with a .do extension

So I think you can't do /myTest* or /myTest.* Can you try one of the options above and see if you can get it to work?

Cheers (good luck )
-Kathy
 
Romy Huang
Ranch Hand
Posts: 35
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
1. /myTest.do
2. *.do

1,2 should work.

3. I don't know how to put the directory match. any one knows, please tell me. Thanks.
 
Roger Yates
Ranch Hand
Posts: 118
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator


Thanks everyone! It finally works!
After all the stop/starts, I think I'm going to rename Tomcat "Yo-yo"

Results of my investigations of your suggestions follow:

Here's a reminder of my app structure:
  • /webapps/testSec/testPage.html
  • /webapps/testSec/subdir/testDir.html
  • servlet mapped to /myTest.do (and also mapped to /subdir/myTest.do)

  • And here's a list of what worked, and some of what didn't:

    Successes:
  • /myTest.do
  • /*
  • *.do
  • /subdir/*
  • /subdir/testDir.html


  • Failures:
  • /myTest* (Accepted but doesn't work)
  • /myTest.* (Accepted but doesn't work)
  • /testSec/myTest.do (Accepted but doesn't work)
  • /*.do (IllegalArgumentException - Invalid <url-pattern> )
  • /subdir/*.do (IllegalArgumentException - Invalid <url-pattern> )
  • /testDir.html (testDir.html is in subdirectory)
  • /testDir.* (Accepted but doesn't work)
  • /subdir/testDir.* (Accepted but doesn't work)
  • /testSec/subdir/testDir.html (testSec is the dir under Tomcat webapps)


  • So 'patterns' aren't quite what I thought (I was thinking of * being a wild-card like file paths). These patterns, though, are simply extension matches or directory matches but *not* pattern matches.

    Here's my summary of what's allowed:
    1. Exact match (including named directory, but not web-app name.)
    e.g. /fred.html or /mySubDir/fred.html
    2. Directory match (exact path to directory, appended with "/*".)
    e.g. /* or /mySubDir/* (N.B. /* also protects subdirs)
    3. Extension match (no leading "/")
    e.g. *.do (N.B. /*.do does not work)

    Hope the above proves a useful reference!
    ... and for me - I get to see the logon box at last!

    Romy,
    I can now confidently say in answer to your directory match question: "/yourdir/*" will do the trick!
    [ October 19, 2004: Message edited by: Roger Yates ]
     
    Nicholas Cheung
    Ranch Hand
    Posts: 4982
    • Mark post as helpful
    • send pies
    • Quote
    • Report post to moderator
    The pattern matching in the request URL is quite tricky in fact. It is not that obvious to know, which pattern works, while which dont.

    Practicing (or even trial and errors) is the best way to learn.

    Nick
     
    • Post Reply
    • Bookmark Topic Watch Topic
    • New Topic