Yeah, you need to delete the entire <auth-constraint>...</auth-constraint> to allow everyone. However, for MSIE, you may still get problems due to the restricted caching headers that Tomat adds.
"Filip Hanik - Dev Lists" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] > <role-name>*</role-name> <!-- even though I have no roles configured --> > > the "*" means all the roles that you have defined in web.xml, since you > haven't defined any roles in web.xml, there is nothing to authenticate, > hence its gonna deny the request > > Filip > > > Glen Mazza wrote: >> Hello, >> >> I have developed a simple web application running on Tomcat that asks for >> a database username and password and then returns a report in PDF. I'm >> *not* using any of Tomcat's security features for this--no roles for >> example. >> >> In testing it has been running fine on HTTP, but I would like it to be >> using HTTPS/SSL for production use, and ideally, be redirecting any user >> HTTP requests to HTTPS. So I created a new keystore and activated the >> HTTPS/SSL connector in the server.xml file. I also added the following >> security constraint to the web.xml of my web application in order to >> force a redirect from HTTP to HTTPS should the user enter the former: >> >> <security-constraint> >> <web-resource-collection> >> <web-resource-name>thewholeapp</web-resource-name> >> <url-pattern>/*</url-pattern> >> <http-method>GET</http-method> >> <http-method>POST</http-method> >> </web-resource-collection> >> <auth-constraint> >> <role-name>*</role-name> <!-- even though I have no roles >> configured --> >> </auth-constraint> >> <user-data-constraint> >> <transport-guarantee>CONFIDENTIAL</transport-guarantee> >> </user-data-constraint> >> </security-constraint> >> >> The redirection to the HTTPS page is working, but the HTTPS page itself >> is failing--I keep getting 403 error messages: "Access to the requested >> resource has been denied". Note I am *not* doing any form of container >> authentication--that may be the problem, as I'm relying on the DB >> connection string within my web application to authenticate into the >> database. I get the same message if I go to the https:// URL directly >> and not via redirection. >> >> How can I get Tomcat to let every user access the HTTPS URL login page >> (letting the database continue to handle the subsequent authentication >> into the DB), preferably while still allowing for the automatic >> redirection from HTTP to HTTPS as listed in the above >> <security-constraint/>? >> >> Thanks, >> Glen >> >> --------------------------------------------------------------------- >> To start a new topic, e-mail: users@tomcat.apache.org >> To unsubscribe, e-mail: [EMAIL PROTECTED] >> For additional commands, e-mail: [EMAIL PROTECTED] >> >> > > > --------------------------------------------------------------------- > To start a new topic, e-mail: users@tomcat.apache.org > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
