Thank you both. Removing the <auth-constraint/> element quickly solved
the problem for me. So far, I have not run into any MSIE problems with
this solution, hopefully my luck will continue. (By default, users will
be given https:// links anyway, the redirection is only for those who
might accidentally enter via http://.)
Glen
Bill Barker wrote:
Yeah, you need to delete the entire <auth-constraint>...</auth-constraint>
to allow everyone. However, for MSIE, you may still get problems due to the
restricted caching headers that Tomat adds.
"Filip Hanik - Dev Lists" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]
<role-name>*</role-name> <!-- even though I have no roles configured -->
the "*" means all the roles that you have defined in web.xml, since you
haven't defined any roles in web.xml, there is nothing to authenticate,
hence its gonna deny the request
Filip
Glen Mazza wrote:
Hello,
I have developed a simple web application running on Tomcat that asks for
a database username and password and then returns a report in PDF. I'm
*not* using any of Tomcat's security features for this--no roles for
example.
In testing it has been running fine on HTTP, but I would like it to be
using HTTPS/SSL for production use, and ideally, be redirecting any user
HTTP requests to HTTPS. So I created a new keystore and activated the
HTTPS/SSL connector in the server.xml file. I also added the following
security constraint to the web.xml of my web application in order to
force a redirect from HTTP to HTTPS should the user enter the former:
<security-constraint>
<web-resource-collection>
<web-resource-name>thewholeapp</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>*</role-name> <!-- even though I have no roles
configured -->
</auth-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
The redirection to the HTTPS page is working, but the HTTPS page itself
is failing--I keep getting 403 error messages: "Access to the requested
resource has been denied". Note I am *not* doing any form of container
authentication--that may be the problem, as I'm relying on the DB
connection string within my web application to authenticate into the
database. I get the same message if I go to the https:// URL directly
and not via redirection.
How can I get Tomcat to let every user access the HTTPS URL login page
(letting the database continue to handle the subsequent authentication
into the DB), preferably while still allowing for the automatic
redirection from HTTP to HTTPS as listed in the above
<security-constraint/>?
Thanks,
Glen
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
