• Post Reply Bookmark Topic Watch Topic
  • New Topic

Can authentication in tomcat rely servlet name and/or querystring?

 
Andy Westley
Greenhorn
Posts: 19
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Haven't ever bothered to use tomcat authentication before, but am having trouble configuring my web.xml. I've included the relevant bits of my web.xml below.

<security-constraint>
<web-resource-collection>
<web-resource-name>Secure bits of webchecker</web-resource-name>
<description>pages which require login</description>

<url-pattern>/*</url-pattern>
<!--
<url-pattern>/controller.servlet</url-pattern>
<url-pattern>/controller.servlet?action=SomeSecureActivity</url-pattern>
-->
</web-resource-collection>
<auth-constraint>
<description>Must authenticate before querying the system</description>
<role-name>webchecker-admin</role-name>
</auth-constraint>
</security-constraint>

<login-config>
<auth-method>BASIC</auth-method>
<realm-name>default</realm-name>
</login-config>

<security-role>
<description>Any user of the system</description>
<role-name>webchecker-admin</role-name>
</security-role>

I think I've managed to secure everything using a url-pattern of /* (I get challenged for password).

But when I try to go a bit further and use /controller.servlet as a url-pattern I seem to be able to get to the servlet unchallenged.

More specifically, because I'd like to restrict access to particular actions, if I use the url-pattern of /controller.servlet?action=SomeSecureActivity I get through unchallenged again.

Can anyone tell me whether I should be able to use a servlet name and even bits of the querystring?

Cheers
aw
 
Michael Ku
Ranch Hand
Posts: 510
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
would you publish the servlet mapping portion of the web.xml please

Thank you
 
Christophe Verré
Sheriff
Posts: 14691
16
Eclipse IDE Ubuntu VI Editor
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Your security mapping looks fine. I suspect that you have already successfully logged in once. If so, your session is probably still hanging, so you'll have to clear it (log out) otherwise you'll be seen as authorized. Firefox has an option to clear already authenticated sessions.
 
Andy Westley
Greenhorn
Posts: 19
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Me again,

Here's the servlet mapping bit of my web.xml

<servlet-mapping>
<servlet-name>ConfigServlet</servlet-name>
<url-pattern>/config.servlet</url-pattern>
</servlet-mapping>

<servlet-mapping>
<servlet-name>ControllerServlet</servlet-name>
<url-pattern>/controller.servlet</url-pattern>
</servlet-mapping>

I did kill all my sessions and try again, but with my security stuff as below:

<security-constraint>
<web-resource-collection>
<web-resource-name>Secure bits of webchecker</web-resource-name>
<description>pages which require login</description>

<url-pattern>/controller.servlet?action=PrepareAddFormAction</url-pattern>
<!--
<url-pattern>/controller.servlet?action=PrepareAddFormAction</url-pattern>
<url-pattern>/controller.servlet?action=PrepareEditFormAction</url-pattern>
<url-pattern>/controller.servlet?action=PrepareDeleteFormAction</url-pattern>
<url-pattern>/controller.servlet?action=AddJobAction</url-pattern>
<url-pattern>/controller.servlet?action=EditJobAction</url-pattern>
<url-pattern>/controller.servlet?action=DeleteJobAction</url-pattern>
-->
</web-resource-collection>
<auth-constraint>
<description>Must authenticate before querying the system</description>
<role-name>webchecker-admin</role-name>
</auth-constraint>
</security-constraint>

I seem to have unrestricted access to the PrepareAddFormAction.

I thought this was the simple way to do it. I'm in danger of it being quicker to write a filter and load security details manually!

Thanks for the help though, chaps. Any other ideas?
 
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!