On 08/06/18 17:26, Randy Oun wrote: > Hello Tomcat user group. > > I am setting update Tomcat 8.5.23 with Kerberos/SPNEGO. Since the Tomcat > server will be only hosting one web application and we only want SPNEGO > only on certain environments we were trying to add security contraints to > Tomcat's web.xml instead of the application's web.xml. > > Unfortunately it doesn't seem like it is taking effect. The only change is > is adding the app's URI context to the url-pattern in Tomcat's web.xml. > > Is something misconfigured?
Yes. The global web.xml is merged into the application web.xml for every web application. You want to use exactly the same URLs (no leading "/app") in the global web.xml as you do in the application web.xml. As an aside, configuring application specific settings in the global web.xml is not recommended. If you ever need to deploy a second web application you are going to have difficulties. Mark > If not, what can I do to get this to work? > > In TOMCAT_HOME/conf/web.xml... > --------------------------------------------- > > <security-constraint> > <web-resource-collection> > <web-resource-name>NoSSO</web-resource-name> > <description>URIs that should not trigger > SPNEGO</description> > <url-pattern>/app/ping</url-pattern> > <url-pattern>/app/ws/*</url-pattern> > <url-pattern>/app/service/*</url-pattern> > </web-resource-collection> > <!-- No auth-constraint means paths are accessible --> > </security-constraint> > <security-constraint> > <web-resource-collection> > <web-resource-name>SSO</web-resource-name> > <description>Default context path that will trigger > Kerberos-SPNEGO SSO</description> > <url-pattern>/app/*</url-pattern> > </web-resource-collection> > <auth-constraint> > <role-name>**</role-name> > </auth-constraint> > </security-constraint> > <login-config> > <auth-method>SPNEGO</auth-method> > <realm-name>SPNEGO Realm</realm-name> > </login-config> > > In app web.xml... > ----------------------- > <!-- SF Note: Added for SSO enablement --> > <security-constraint> > <web-resource-collection> > <web-resource-name>NoSSO</web-resource-name> > <description>URIs that should not trigger > SPNEGO</description> > <url-pattern>/ping</url-pattern> > <url-pattern>/ws/*</url-pattern> > <url-pattern>/service/*</url-pattern> > </web-resource-collection> > <!-- No auth-constraint means paths are accessible --> > </security-constraint> > <security-constraint> > <web-resource-collection> > <web-resource-name>SSO</web-resource-name> > <description>Default context path that will trigger > Kerberos-SPNEGO SSO</description> > <url-pattern>/*</url-pattern> > </web-resource-collection> > <auth-constraint> > <role-name>**</role-name> > </auth-constraint> > </security-constraint> > <login-config> > <auth-method>SPNEGO</auth-method> > <realm-name>SPNEGO Realm</realm-name> > </login-config> > > Thanks! > > Randy > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
