Joerg,
If you want your JSP's protected you can configure that in your web.xml
file. I can't fully remember (someone jump in here) but I used role's in
tomcat and put the jsp files in a seperate directory, then I added
declarations in my web.xml file for it. Here is the snippets from my
web.xml: (If you look down through the role-name tags certain roles can
access certain JSP's. All the JSP's are locked from the gen-public inside
of a "Private" folder.
<!--Constraints to control access to an entire namespace of urls-->
<security-constraint><!--/admin/* limits access to those in admin
role.-->
<web-resource-collection>
<web-resource-name>CompanySecret</web-resource-name>
<url-pattern>/admin/*</url-pattern>
<http-method>DELETE</http-method>
<http-method>GET</http-method>
<http-method>POST</http-method>
<http-method>PUT</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>admin</role-name>
</auth-constraint>
</security-constraint>
<security-constraint><!--/trainer/* limits access to those in trainer
role.-->
<web-resource-collection>
<web-resource-name>CompanySecret</web-resource-name>
<url-pattern>/trainer/*</url-pattern>
<http-method>DELETE</http-method>
<http-method>GET</http-method>
<http-method>POST</http-method>
<http-method>PUT</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>trainer</role-name>
</auth-constraint>
</security-constraint>
<security-constraint><!--/Private/* completely blocks access except by
the webserver itself.-->
<web-resource-collection>
<web-resource-name>CompanySecret</web-resource-name>
<url-pattern>/Private/*</url-pattern>
<http-method>DELETE</http-method>
<http-method>GET</http-method>
<http-method>POST</http-method>
<http-method>PUT</http-method>
</web-resource-collection>
<auth-constraint>
<role-name></role-name>
</auth-constraint>
</security-constraint>
<!--Constraints to limit access to individual urls which are not limited
by any namespace in their url-->
<security-constraint><!--/Main.jsp requires login, but then is available
to everybody who can login.-->
<web-resource-collection>
<web-resource-name>CompanySecret</web-resource-name>
<url-pattern>/Main.jsp</url-pattern>
<url-pattern>/AutocompleteQuery</url-pattern>
<http-method>DELETE</http-method>
<http-method>GET</http-method>
<http-method>POST</http-method>
<http-method>PUT</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>trainer</role-name>
<role-name>manager</role-name>
<role-name>admin</role-name>
<role-name>user</role-name>
</auth-constraint>
</security-constraint>
<security-constraint><!--/CompanyOverview.jsp requires login, in any
non-user role.-->
<web-resource-collection>
<web-resource-name>CompanySecret</web-resource-name>
<url-pattern>/CompanyOverview.jsp</url-pattern>
<http-method>DELETE</http-method>
<http-method>GET</http-method>
<http-method>POST</http-method>
<http-method>PUT</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>trainer</role-name>
<role-name>manager</role-name>
<role-name>admin</role-name>
</auth-constraint>
</security-constraint>
Hope this helps you.
- Josh
On Fri, Sep 25, 2009 at 5:46 AM, Buchner, Joerg [T0I] (VW Sachsen) <
joerg.buch...@volkswagen.de> wrote:
> Hi Rainer,
>
> yes, the JSP's should be served by Tomcat!
>
> But Tomcat should not work as WebService,
> Tomcat is only an Engine behind IIS.
>
> The protection of the JSP Files should be realized in the NTFS ACL's...
>
> Regards,
> Jörg
>
>
>
>
> -----Ursprüngliche Nachricht-----
> Von: Rainer Jung [mailto:rainer.j...@kippdata.de]
> Gesendet: Freitag, 25. September 2009 09:07
> An: Tomcat Users List
> Betreff: Re: Apache Tomcat, IIS, ISAPI
>
> On 25.09.2009 08:06, Buchner, Joerg [T0I] (VW Sachsen) wrote:
> > Hi,
> >
> > i've got an Problem.
> > We have an Microsoft IIS 6.0 with an Apache Tomcat 5.5.27 with IIS ISAPI
> 1.2.28.
> > (AMD64).
> >
> > The Website use Integrated Windows Authentication.
> >
> > The SourceCode Files on the server are protected by ActiveDirectory
> Groups.
> >
> > All works fine.
> >
> > But now the problem.
> >
> > If a user request a html File then the IIS check the NTFS
> Filesystempermissions.
> > That means, only users have access, which are in the security group on
> the file system.
> >
> > But, if the same user request a jsp File, then there is no check on the
> Filesystempermissons.
> >
> > That is not OK.
> > I'ld like to protect my JSP Files with NTFS Rights.
> >
> > Can anybody help me?
>
> The JSPs should be served by Tomcat, right? So IIS doesn't need to be
> able to see them or allowed to actually read them.
>
> So do you want to protect them in Tomcat?
>
> Regards,
>
> Rainer
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>
