On 14/12/2023 17:28, ResSoft wrote:
Chris,
I figured out how to make this work. It works in my dev dox but not in
my prod box. Both have the same version of tomcat. Here is the web.xml entry.
I any ideas would be great.
Those constraints look correct to me and a quick test using
Chris,
I figured out how to make this work. It works in my dev dox but not in
my prod box. Both have the same version of tomcat. Here is the web.xml entry.
I any ideas would be great.
securedapp
/*
CONFIDENTIAL
Chris,
Thanks for the response, but I think I explained myself wrong. The
http redirect to https works when I use just this entry in my web.xml
securedapp
/*
CONFIDENTIAL
But if I want to force http to https and lock the second url pattern from
Kent,
On 12/14/23 09:13, ResSoft wrote:
I am currently forcing my app to use https. Here is what I have in my
app web.xml file and it works as intended
securedapp
/*
CONFIDENTIAL
I also now want to restrict the browser from pulling up files in certain
Marks,
Thanks for the info, originally I was using just index.jsp, but this also
gets blocked with a 403:
index.jsp
I will look into the servlet suggestion.
Cheers Greg
On 19 June 2017 at 10:39, Mark Thomas wrote:
> On 19/06/17 08:24, Greg Huber wrote:
> > Hello,
> >
> > If I add a security
On Mon, Jun 19, 2017 at 3:09 PM, Mark Thomas wrote:
> On 19/06/17 08:24, Greg Huber wrote:
> > Hello,
> >
> > If I add a security constrait to block direct access to jsp outside of
> > /WEB-INF/ it blocks the welcome-file with a 403. Is there a caveat for
> > using this here?
>
> Your welcome fi
On 19/06/17 08:24, Greg Huber wrote:
> Hello,
>
> If I add a security constrait to block direct access to jsp outside of
> /WEB-INF/ it blocks the welcome-file with a 403. Is there a caveat for
> using this here?
Your welcome file is invalid. It should be a file name without a path.
Remember it
> From: Mats Eklund [mailto:mats.ekl...@yahoo.com]
> Subject: security-constraint in web.xml - order/priority
>
> If I have more than one security-constraint tags in my web.xml (some
> with, some without auth-constraints), which one takes precedence for a
> specific request?
Generally, the longes
> From: André Warnier [mailto:a...@ice-sa.com]
> Subject: Re: Security Constraint conflict
>
> I suggest that the Servlet Spec be revised by a German engineer, to the
> effect that everything not specifically allowed is forbidden.
Or we could try the quantum physics interpretati
Caldarale, Charles R wrote:
From: Pid [mailto:p...@pidster.com]
Subject: Re: Security Constraint conflict
The logical union of 'no methods' and 'some methods' is 'some methods',
isn't it? But...
Yes, except the spec says the operation is *not* a union when
> From: Pid [mailto:p...@pidster.com]
> Subject: Re: Security Constraint conflict
>
> The logical union of 'no methods' and 'some methods' is 'some methods',
> isn't it? But...
Yes, except the spec says the operation is *not* a union when a con
On 21/09/2009 01:20, Caldarale, Charles R wrote:
From: Christopher Schultz [mailto:ch...@christopherschultz.net]
Subject: Re: Security Constraint conflict
On 9/18/2009 9:47 PM, Bill Barker wrote:
I haven't checked the Servlet 3 spec, but with earlier versions,
the union process is to giv
> From: Christopher Schultz [mailto:ch...@christopherschultz.net]
> Subject: Re: Security Constraint conflict
>
> On 9/18/2009 9:47 PM, Bill Barker wrote:
> > I haven't checked the Servlet 3 spec, but with earlier versions,
> > the union process is to give you the
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Bill,
On 9/18/2009 9:47 PM, Bill Barker wrote:
> I haven't checked the Servlet 3 spec, but with earlier versions, the union
> process is to give you the *least* restrictive checking (i.e. you just have
> to pass one constraint to pass). And, yes, t
"Christopher Schultz" wrote in message
news:4ab3f5f1.5060...@christopherschultz.net...
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> Peter,
>
> On 9/18/2009 4:34 PM, Peter Holcomb wrote:
>> Thanks for your response. I've read through the example in 13.7.2 of
>> the spec
>
> Which versio
My bad - I was quoting the servlet 3.0 spec (usually the headings align)
I need to reread but it might be a bug. (I dont have the spec in front
of me) but IIRC it said something to the effect of using the url + the
HTTP method to get all applicable constraints. And then unioning them
together.
I was actually looking in the 3.0 spec (here:
http://jcp.org/aboutJava/communityprocess/pr/jsr315/index.html) but I
believe the same example is available in the 2.4 spec under 12.8.2.
It's the example under "combining constraints".
I can't figure out the unioning process other than maybe it's unio
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Peter,
On 9/18/2009 4:34 PM, Peter Holcomb wrote:
> Thanks for your response. I've read through the example in 13.7.2 of
> the spec
Which version of the spec? I don't see a section 13.8 at all in either
2.4 or 2.5 of the spec. I see the heading "Com
By the way, this works as we expected in Websphere and WebLogic.
On Fri, Sep 18, 2009 at 3:34 PM, Peter Holcomb wrote:
> Tim,
>
> Thanks for your response. I've read through the example in 13.7.2 of
> the spec but I don't think I'm understanding how the union works.
> According to my thought p
Tim,
Thanks for your response. I've read through the example in 13.7.2 of
the spec but I don't think I'm understanding how the union works.
According to my thought process, the url patterns are:
*.xhtml - access precluded
/* PUT,DELETE,TRACE,OPTIONS - access precluded
How does the unioning of
See 13.8.1 of the servlet spec.
The result in is unioning all the constraints together for one that passes
It might be easier to write a filter to implement the restriction that
only GET/POST/HEAD is allowed.
-Tim
Peter Holcomb wrote:
We have a situation where we recently introduced a new s
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Chuck,
On 3/4/2009 11:23 AM, Caldarale, Charles R wrote:
>> From: Christopher Schultz [mailto:ch...@christopherschultz.net]
>> Subject: Re: security-constraint in conf/web.xml
>>
>> sf is expected to be used from within a w
> From: Christopher Schultz [mailto:ch...@christopherschultz.net]
> Subject: Re: security-constraint in conf/web.xml
>
> sf is expected to be used from within a web application, so
> it has to be deployed along with the webapp. So, the WAR file
> would have to be modified in th
Christopher Schultz wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Chuck,
On 3/4/2009 10:01 AM, Caldarale, Charles R wrote:
From: Jurn Ho [mailto:j...@magicmonster.com]
Subject: Re: security-constraint in conf/web.xml
ok, is there an easy way to require authentication to access a
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Chuck,
On 3/4/2009 10:01 AM, Caldarale, Charles R wrote:
>> From: Jurn Ho [mailto:j...@magicmonster.com]
>> Subject: Re: security-constraint in conf/web.xml
>>
>> ok, is there an easy way to require authentication to acces
> From: Jurn Ho [mailto:j...@magicmonster.com]
> Subject: Re: security-constraint in conf/web.xml
>
> ok, is there an easy way to require authentication to access a
> particular webapp, without modifying the war file?
You can try using this:
http://securityfilter.sourceforge.net/
ok, is there an easy way to require authentication to access a
particular webapp, without modifying the war file?
Caldarale, Charles R wrote:
From: Jurn Ho [mailto:j...@magicmonster.com]
Subject: security-constraint in conf/web.xml
Is it possible to move this config into the conf/web.xml inste
> From: Jurn Ho [mailto:j...@magicmonster.com]
> Subject: security-constraint in conf/web.xml
>
> Is it possible to move this config into the conf/web.xml instead?
> I have tried this but the security-constraint affects other webapps.
Which is exactly what conf/web.xml is supposed to do - it provi
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Andre,
Andre Rubin wrote:
> Thanks Chuck but SecurityFilter does exactly the opposite of what I want:
>
> "Security Filter is intended to be packaged within your web app,
> including your realm implementation and supporting classes. This
> allows you
> From: Andre Rubin [mailto:[EMAIL PROTECTED]
> Subject: Re: security-constraint outside web.xml
>
> I want to manage security completely outside my app (outside the war
> file), not just outside web.xml.
I was under the impression that you could store the configurati
Thanks Chuck but SecurityFilter does exactly the opposite of what I want:
"Security Filter is intended to be packaged within your web app,
including your realm implementation and supporting classes. This
allows you to deploy your app as a single, deployable unit (war file
or expanded war directory
> From: Andre Rubin [mailto:[EMAIL PROTECTED]
> Subject: security-constraint outside web.xml
>
> Is there a way to configure the security-constraints
> somewhere else for my_app, like in a context file
> somewhere
Not when you're using the standard declarative security.
This might help do what yo
ok, thanks, David!
-Original Message-
From: David Smith [mailto:[EMAIL PROTECTED]
Sent: Monday, August 21, 2006 11:48 AM
To: Tomcat Users List
Subject: Re: Security constraint/login form
Looking at the source for org.apache.catalina.JDBCRealm, the queries on
the database are confined
ECTED]
Sent: Monday, August 21, 2006 10:51 AM
To: Tomcat Users List
Subject: Re: Security constraint/login form
Could you post some relevant sections of your webapp? I'm thinking the
security constraint section of your web.xml, a representative segment of
your user database table, and the lo
t;>work.
>>
>>Any ideas why? And, if it's limited to this by Tomcat's default security
>>constraint class files, can I individually edit and recompile them, and then
>>it will redeploy in the war file upon restart?
>>
>>-Original Message-
>>
ching third col to the users table as well? Or is
that immaterial?
-Original Message-
From: David Smith [mailto:[EMAIL PROTECTED]
Sent: Monday, August 21, 2006 10:51 AM
To: Tomcat Users List
Subject: Re: Security constraint/login form
Could you post some relevant sections of your webapp?
redeploy in the war file upon restart?
-Original Message-
From: Marc Farrow [mailto:[EMAIL PROTECTED]
Sent: Thursday, August 17, 2006 4:03 PM
To: Tomcat Users List
Subject: Re: Security constraint/login form
The names are irrelevant. They just have to match between implementation
and s
never mind...sorry, I did see it in the web.xml file under the role-name
element.
Sorry about that!
-Original Message-
From: Propes, Barry L
Sent: Monday, August 21, 2006 10:43 AM
To: Tomcat Users List
Subject: RE: Security constraint/login form
Ok, I'm finding that the name
's default security
constraint class files, can I individually edit and recompile them, and then it
will redeploy in the war file upon restart?
-Original Message-
From: Marc Farrow [mailto:[EMAIL PROTECTED]
Sent: Thursday, August 17, 2006 4:03 PM
To: Tomcat Users List
Subject: Re: Secu
t 18, 2006 9:27 AM
To: Tomcat Users List
Subject: Re: Security constraint/login form
Valid roles are whatever are defined to be valid. The specific name does
not matter. But if you are using a Database for validation, then the roles
are pulled from the database column that you have associate
choices? Is valid ONLY
service or admin?
-Original Message-
From: David Smith [mailto:[EMAIL PROTECTED]
Sent: Friday, August 18, 2006 6:26 AM
To: Tomcat Users List
Subject: Re: Security constraint/login form
Over an hour? Not even ODBC has that kind of latency. Could you be
looki
[mailto:[EMAIL PROTECTED]
Sent: Friday, August 18, 2006 6:26 AM
To: Tomcat Users List
Subject: Re: Security constraint/login form
Over an hour? Not even ODBC has that kind of latency. Could you be
looking at a caching issue?
--David
Propes, Barry L wrote:
>ok, thanks..I think there&
To: Tomcat Users List
Subject: Re: Security constraint/login form
Over an hour? Not even ODBC has that kind of latency. Could you be
looking at a caching issue?
--David
Propes, Barry L wrote:
>ok, thanks..I think there's a fair amount of latency between my database query
>
s RISK, author, legaldept, etc.?
-Original Message-
From: Marc Farrow [mailto:[EMAIL PROTECTED]
Sent: Thursday, August 17, 2006 2:11 PM
To: Tomcat Users List
Subject: Re: Security constraint/login form
Are you talking about the tomcat-users.xml file and the roles defined in
there?
The security-contrain
ver an hour ago was still showing the old value, and
could have been causing some of the problems.
-Original Message-
From: Marc Farrow [mailto:[EMAIL PROTECTED]
Sent: Thursday, August 17, 2006 4:03 PM
To: Tomcat Users List
Subject: Re: Security constraint/login form
The names are ir
om: Marc Farrow [mailto:[EMAIL PROTECTED]
Sent: Thursday, August 17, 2006 4:03 PM
To: Tomcat Users List
Subject: Re: Security constraint/login form
The names are irrelevant. They just have to match between implementation
and setup.
On 8/17/06, Propes, Barry L <[EMAIL PROTECTED]> wrote:
>
created or yest to my last question about the values being what I want?
-Original Message-
From: Marc Farrow [mailto:[EMAIL PROTECTED]
Sent: Thursday, August 17, 2006 3:38 PM
To: Tomcat Users List
Subject: Re: Security constraint/login form
Quick answer is yes.
On 8/17/06, Propes, Barr
Sent: Thursday, August 17, 2006 3:38 PM
To: Tomcat Users List
Subject: Re: Security constraint/login form
Quick answer is yes.
On 8/17/06, Propes, Barry L <[EMAIL PROTECTED]> wrote:
>
> I wonder though...do the role_names have to be service or admin or
> something like that?
>
&
Subject: Re: Security constraint/login form
Are you talking about the tomcat-users.xml file and the roles defined in
there?
The security-contraints are pretty flexible and you can use any number of
ways to define your realms. If you look at the web.xml for the manager
application (that is shipped
ing a column called role_name, but with a value
such as RISK, author, legaldept, etc.?
-Original Message-
From: Marc Farrow [mailto:[EMAIL PROTECTED]
Sent: Thursday, August 17, 2006 2:11 PM
To: Tomcat Users List
Subject: Re: Security constraint/login form
Are you talking about the tomcat-user
just be able to run a
simple select query to get the values I need to return the proper info per each
user's roles and credentials.
Thanks, both of you guys!
-Original Message-
From: Marc Farrow [mailto:[EMAIL PROTECTED]
Sent: Thursday, August 17, 2006 2:11 PM
To: Tomcat Users Lis
Are you talking about the tomcat-users.xml file and the roles defined in
there?
The security-contraints are pretty flexible and you can use any number of
ways to define your realms. If you look at the web.xml for the manager
application (that is shipped with Tomcat), you can see how that realm i
ok, well that certainly helps and gives very good direction!
Thank you, David!
-Original Message-
From: David Smith [mailto:[EMAIL PROTECTED]
Sent: Thursday, August 17, 2006 2:02 PM
To: Tomcat Users List
Subject: Re: Security constraint/login form
Getting the remote user would be
Getting the remote user would be request.getRemoteUser() ;
I would imagine other fields could be added to the database table, but
the webapp would be responsible for loading the remaining data into a
session or whatever is needed. Tomcat will only offer the username and
an accurate response t
to add to my question earlier below, would it be something as simple as?
String juser= (String) request.getAttribute("j_username");
Granted I have no idea what the session attribute is under the hood, only know
that j_username is the input name for the user_name.
I was thinking with that info,
e security consraint and do the switching both ways in my
Filter, so at least it is only configured in one place.
Thanks,
Tamsin
-Original Message-
From: Wang, Hansen [mailto:[EMAIL PROTECTED]
Sent: 30 March 2006 01:23
To: Tomcat Users List
Subject: RE: security-constraint
If you are u
If you are using struts for your webapp, there is an extension "sslext"
for this purpose. What it does are: 1) gernerate complete url with
property scheme using it's tag; 2) redirect (as you said in your email)
if the incoming has unmatched scheme for the target resource.
Hansen
-Original Me
57 matches
Mail list logo
