• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

Exclude url from authorized access-web.xml

 
Greenhorn
Posts: 2
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi All,

I have an issue with allowing access to a page which is secured using active directory authentication. I want some pages/content to be excluded from this. Following is my web.xml file under conf of tomcat.




As per my understanding, this should allow url's with a content "update" and allow other pages only with AD credentials. But this is not working for me now. Its asking for the credentials even for the url with "update".

Tomcat Version:7
Env:Linux
Url:http://myserver.com:8080/solar/index.jsp. Here its asking the credentials, its fine and as expected.

url with "update" in the address: http://myserver.com:8080/solar/site/update. When I access this url, its still asking for the credentials.

I am not really sure why this is happening. Could anyone here can help me on this?
 
Bartender
Posts: 1952
7
Eclipse IDE Java
  • Likes 1
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Well the /update/* url-pattern only allows unsecured access to URLs that are relative to <webapp-root>/update, which in this case would be any that matches URL http://myserver.com:8080/solar/update/<whatever>.
The pattern does not apply to the URL you want unrestricted access to: http://myserver.com:8080/solar/site/update (take note of the site portion).
My guess is you're looking for wildcard behavior that allows unrestricted access to any URL relative to the webapp-root that contains update, correct?
 
Rahul Raviz
Greenhorn
Posts: 2
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Exactly thats what I am looking for, a wild card. But how??

I tried /solar/site/update.. but nothing is happening even then. Its still asking for the credentials.
 
Jelle Klap
Bartender
Posts: 1952
7
Eclipse IDE Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
That's because you're including solar in the url-pattern, which is implied as the webapp-root, and shouldn't be explicitly included.
Try changing the url-pattern to /site/update/* and you should have unrestricted access to the URL http://myserver.com:8080/solar/site/update.
Then see if you can figure out the wildcard logic for the url-pattern definition, which shouldn't be hard because you're already using it for the base restriction pattern...
 
Saloon Keeper
Posts: 27764
196
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Likes 1
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Rahul Raviz wrote:
As per my understanding, this should allow url's with a content "update" and allow other pages only with AD credentials. But this is not working for me now. Its asking for the credentials even for the url with "update".



Let's clarify that a little.

The web.xml security actually has no idea whether or not AD is involved. All it does is interact with the Realm. If the Realm is AD, fine, but if I change to a JDBC Realm in the server config, the webapp logic and web.xml don't change. AD is just acting as the designated repository for userid/password verification and for role-checking for authenticated users.

The role-defining URL patterns, as Jelle has said, are "absolute" URLs, where the URL pattern does not include deployment or parametric information. In other words, a URL like "http://www.javaranch.com:8080/app372/admin/profile.jsp?arg1=a&arg2=b" would be pattern-matched using only the "/admin/profile.jsp" part of the URL. Despite this, the URL pattern is truly a URL pattern and not a resource pattern, which means that "/admin/stats" doesn't necessarily resolve to a physical file in the WAR (if it's a servlet URL pattern) and conversely that the security system cannot block access to "/images/pic1.jpg" if there are alternative URLs configured that can retrieve that resource but are not secured.
 
I do some of my very best work in water. Like this tiny ad:
a bit of art, as a gift, that will fit in a stocking
https://gardener-gift.com
reply
    Bookmark Topic Watch Topic
  • New Topic