Configure read/write-access in TomCat
Hello I've developed a web-application in which I'd like to have some control of which resources are accessed by whom. My project is called "Server" in which I've got 3 directories: "/user" which all roles are allowed to access, "/admin" which ONLY administrators are allowed to access and "resources" in which I've got some files which users are allowed to read and administrators are allowed to both read and write. I'm using a FORM to login. The form action is "POST" and the action is "j_security_check", the username field's name is "j_username" and the password field's is "j_password". I've implemented a security-check in the jsp-file itself where I'm checking for the type of login the current user has. If the type is aproved then the user is allowed to access the page. But when I test the application and try to access the files in the other library then I've got access no matter what. This wasn't the intension. I've tried to follow several tutorials online but no matter what I can't get it to work ouf the right way. I've tried to configure the web.xml manually but it doesn't work. I've tried to use the "manager" through the browser but that doesn't seem to deliver the possibility to setup those restriction. Can somebody please give me a detailed walkthrough on how to achieve this? I'm using TomCat 6.0, JVM 1.5.0_20 SUN and Windows XP 5.1.Thankyou very much in advance! Best regards, Kenneth Andersen k_k_ander...@hotmail.com
RE: Configure read/write-access in TomCat
In /tomcat/Webapps/Projectname/web-inf: I have inserted this part: - - - user open part /Server/user/* - user admin - - admin closed part /Server/admin/* - admin - FORM - /Server/index.jsp /Server/index.jsp - admin user - - ... In /tomcat/Conf/web.xml: I have inserted this part: . user open part /Server/user/* user admin admin closed part /Server/admin/* admin FORM /Server/index.jsp /Server/index.jsp admin user default org.apache.catalina.servlets.DefaultServlet .. > Date: Wed, 18 Aug 2010 12:00:39 +0100 > From: p...@pidster.com > To: users@tomcat.apache.org > Subject: Re: Configure read/write-access in TomCat > > On 18/08/2010 10:44, K A wrote: > > > > Hello > > > > I've developed a web-application in which I'd like to have some control of > > which resources are accessed by whom. My project is called "Server" in > > which I've got 3 directories: "/user" which all roles are allowed to > > access, "/admin" which ONLY administrators are allowed to access and > > "resources" in which I've got some files which users are allowed to read > > and administrators are allowed to both read and write. > > > > I'm using a FORM to login. The form action is "POST" and the action is > > "j_security_check", the username field's name is "j_username" and the > > password field's is "j_password". > > I've implemented a security-check in the jsp-file itself where I'm checking > > for the type of login the current user has. If the type is aproved then the > > user is allowed to access the page. > > > > But when I test the application and try to access the files in the other > > library then I've got access no matter what. This wasn't the intension. > > > > I've tried to follow several tutorials online but no matter what I can't > > get it to work ouf the right way. > > > > I've tried to configure the web.xml manually but it doesn't work. I've > > tried to use the "manager" through the browser but that doesn't seem to > > deliver the possibility to setup those restriction. > > What have you tried? > > > > Can somebody please give me a detailed walkthrough on how to achieve this? > > > > I'm using TomCat 6.0, JVM 1.5.0_20 SUN and Windows XP 5.1.Thankyou very > > much in advance! > > Why do people think it's called 'TomCat'? It's *Tomcat*. > > > p > > > > Best regards, > > Kenneth Andersen > > k_k_ander...@hotmail.com > > >
RE: Configure read/write-access in TomCat
Oh, really? I just guessed that if the user could see the absolute url to used/available files in the application (jsp- or pdf-files) then it was also possible that the user could compromise the files in that directory, overwrite them or even save new files. But you state that users can NOT save new files in a directory. Then they can NOT do any of the other stated actions, right? Or have I misunderstood? Thanks! > Date: Wed, 18 Aug 2010 13:32:00 +0200 > From: a...@ice-sa.com > To: users@tomcat.apache.org > Subject: Re: Configure read/write-access in TomCat > > K A wrote: > > Hello > > > > I've developed a web-application in which I'd like to have some control of > > which resources are accessed by whom. My project is called "Server" in > > which I've got 3 directories: "/user" which all roles are allowed to > > access, "/admin" which ONLY administrators are allowed to access and > > "resources" in which I've got some files which users are allowed to read > > and administrators are allowed to both read and write. > > What do you mean by "write" ? There is nothing in tomcat itself which allows > users to > write anywhere on the server. > If it is your application which allows some users to do that, then it belongs > to your > application to check their permissions to do so. > > > > > I'm using a FORM to login. The form action is "POST" and the action is > > "j_security_check", the username field's name is "j_username" and the > > password field's is "j_password". > > I've implemented a security-check in the jsp-file itself where I'm checking > > for the type of login the current user has. If the type is aproved then the > > user is allowed to access the page. > > > > That is all very nice, but mostly irrelevant. The important thing here is > that your > application would know who the user is, if it wants to control access to some > functions in > function of the user. > > > But when I test the application and try to access the files in the other > > library then I've got access no matter what. This wasn't the intension. > > > > ... > > > > Can somebody please give me a detailed walkthrough on how to achieve this? > > > I believe that for that, you'll have to be prepared to pay someone. > > To say the above in another way : in tomcat itself, there is no mechanism for > allowing a > user to upload anything and write it somewhere on the server. > So you will not find anything in the tomcat documentation which explains how > to do what > you want. > > You will have to look for a separate web application which does that. > And such an application would most probably contain some form of a > permissions mechanism. > > One such application is DAV, which used to be included in the tomcat sample > applications. > If you use the "Find Page" button in the FAQ, and enter "DAV", it shows some > links which > might help you. > > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org >
RE: Configure read/write-access in TomCat
Ah, so the web.xaml in /tomcat/conf has nothing to do with the issue - it's only the web.xml in the project itself? I just read that tomcat do not allow write-access to directories. So I guess my main issue in my question is of no concern then as the users don't have any rights to access the files in the actual directory unless the files are access through a servlet of jsp-page in this case? > Date: Wed, 18 Aug 2010 13:13:55 +0100 > From: p...@pidster.com > To: users@tomcat.apache.org > Subject: Re: Configure read/write-access in TomCat > > On 18/08/2010 12:16, K A wrote: > > > > In /tomcat/Webapps/Projectname/web-inf: > > Capitals matter. WEB-INF is the correct directory name. > > > I have inserted this part: > > > > - > > - > > - > > user open part > > /Server/user/* > > > > - > > user > > admin > > > > > > - > > - > > admin closed part > > /Server/admin/* > > > > - > > admin > > > > > > - > > > > > > FORM > > > > - > > /Server/index.jsp > > /Server/index.jsp > > Paths are relative, I'd also recommend putting two separate files in an > location that can't be directly requested. e.g. > > /WEB-INF/login/form.jsp > /WEB-INF/login/error.jsp > > > > > > > > > - > > admin > > user > > > > - > > > > - > > ... > > > > > > In /tomcat/Conf/web.xml: > > Don't do that. Also, it should be 'conf'. > > > p > > > I have inserted this part: > > . > > > > > > > > > > > > > > > > > > user > > open part > > > > /Server/user/* > > > > > > > > > > > > user > > > > admin > > > > > > > > > > > > > > > > > > > > admin > > closed part > > > > /Server/admin/* > > > > > > > > > > > > admin > > > > > > > > > > > > > > > > FORM > > > > > > > > /Server/index.jsp > > > > /Server/index.jsp > > > > > > > > > > > > > > > > admin > > > > user > > > > > > > > > > > > > > > > > > > > > > default > > > > > > org.apache.catalina.servlets.DefaultServlet > > > > > > > > .. > > > > > > > >> Date: Wed, 18 Aug 2010 12:00:39 +0100 > >> From: p...@pidster.com > >> To: users@tomcat.apache.org > >> Subject: Re: Configure read/write-access in TomCat > >> > >> On 18/08/2010 10:44, K A wrote: > >>> > >>> Hello > >>> > >>> I've developed a web-application in which I'd like to have some control > >>> of which resources are accessed by whom. My project is called "Server" in > >>> which I've got 3 directories: "/user" which all roles are allowed to > >>> access, "/admin" which ONLY administrators are allowed to access and > >>> "resources" in which I've got some files which users are allowed to read > >>> and administrators are allowed to both read and write. > >>> > >>> I'm using a FORM to login. The form action is "POST" and the action is > >>> "j_security_check", the username field's name is "j_username" and the > >>> password field's is "j_password". > >>> I've implemented a security-check in the jsp-file itself where I'm > >>> checking for the type of login the current user has. If the type is > >>> aproved then the user is allowed to access the page. > >>> > >>> But when I test the application and try to access the files in the other > >>> library then I've got access no matter what. This wasn't the intension. > >>> > >>> I've tried to follow several tutorials online but no matter what I can't > >>> get it to work ouf the right way. > >>> > >>> I've tried to configure the web.xml manually but it doesn't work. I've > >>> tried to use the "manager" through the browser but that doesn't seem to > >>> deliver the possibility to setup those restriction. > >> > >> What have you tried? > >> > >> > >>> Can somebody please give me a detailed walkthrough on how to achieve this? > >>> > >>> I'm using TomCat 6.0, JVM 1.5.0_20 SUN and Windows XP 5.1.Thankyou very > >>> much in advance! > >> > >> Why do people think it's called 'TomCat'? It's *Tomcat*. > >> > >> > >> p > >> > >> > >>> Best regards, > >>> Kenneth Andersen > >>> k_k_ander...@hotmail.com > >>> > >> > > >
