-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Dennis,
On 2/14/13 3:22 PM, Dennis Gormley wrote: > We have two web sites on a Tomcat 5.5 server (virtual hosts?). You should upgrade as soon as possible: Tomcat 5.5 is not longer supported. You should move to Tomcat 7.0 at your earliest convenience. It might not be important, but you should find out if you are using virtual hosting or not. A typical Tomcat configuration does not use virtual hosting, as the server will respond to any request and route it to the "default" host. > I didn't set up the server, but I've been tasked to password > protect a directory on one of the sites. I've already successfully > password protected a directory one site (site1) using a > MemoryRealm, , but would like to protect another site (site2). Note that MemoryRealm is not very good, unless you just want to use something like a few global "admin" passwords. You're better off using something backed by a database or LDAP, so you can actually change things without having to restart Tomcat. > Here are the working <security-constraint> , <login-config>, and > <security-role> sections challange for UN/PW when a user tries to > access the directory on site1. It's located in D:\Program > Files\Apache Software Foundation\Tomcat 5.5\conf\web.xml That is the site-wide web.xml file, and you shouldn't be modifying it. This is likely the problem. Instead, you want to find the web.xml file that is specific for each individual webapp. Those files can be in a number of places, so I'll start with the easiest to find and go toward the trickiest. 1. In ....\Tomcat 5.5\webapps\[webappname]\WEB-INF\web.xml 2. In ....\Tomcat 5.5\webapps\[webappname].war (in WEB-INF/web.xml) 3. Look in ...\Tomcat 5.5\conf\[engine]\[host]\[webappname].xml There may be a "docBase" attribute in the <Context> element. That will tell you where the webapp is located on the disk. Look under there in WEB-INF/web.xml or, if it's a WAR file, you may have to extract it from the WAR before looking at it. > <security-constraint> <web-resource-collection> > <web-resource-name>Test Application</web-resource-name> > <url-pattern>/site1_staff/*</url-pattern> > > </web-resource-collection> <auth-constraint> > <role-name>site1staff</role-name> </auth-constraint> > > </security-constraint> > > <login-config> <auth-method>BASIC</auth-method> <realm-name>Site1 > Users</realm-name> </login-config> That looks like the kind of thing you'd have to do in order to secure a directory. Note that you aren't securing a directory: you are securing a URL pattern. The fact that URL patterns are mapped to a physical place on the disk is a (very convenient) coincidence. I just mention that because there are ways to alias URLs and disk-paths to get around these restrictions. Apache httpd (the web server) can protect physical directories and URL "locations" separately (where the dir-based protection is slightly more secure for on-disk resources) but Tomcat can only protect URLs. Editing the site-wide configuration is likely to be a problem, because each <security-constraint> is context-scoped (that is, scoped to the webapp) and so you don't need the leading "/webappname". Let's find your individual web.xml files and start there. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEAREIAAYFAlEdVoEACgkQ9CaO5/Lv0PAVtQCdGtyWcg8CMWRwznPPcYZKrS3D pr8AoJpHG66cImxpDC08Y6BRRDruXZOZ =DY4B -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
