Re: exclusions from conf/web.xml are not being picked up

[Pid]

On 15/12/2009 06:45, Shaun Senecal wrote:
I have a "blanket" security-constraint defined in my conf/web.xml,
followed by a couple more specific security-constraints.  However, it
appears that the more specific ones are not being picked up.  When I
break in FormAuthenticator.invoke(), I can see in the constraints
variable (SecurityConstraint[]) that only my global
security-constraint is there so everything is requiring
authentication.  What am I doing wrong?  I want to configure Tomcat
such that /favicon.ico and /agentapp/* do not require authentication.

conf/web.xml snippet:

         <security-constraint>
                 <web-resource-collection>
                         <web-resource-name>The entire SP</web-resource-name>
                         <url-pattern>/*</url-pattern>
                 </web-resource-collection>
                 <auth-constraint>
                         <role-name>*</role-name>
                 </auth-constraint>
                 <user-data-constraint>
                         <transport-guarantee>CONFIDENTIAL</transport-guarantee>
                 </user-data-constraint>
         </security-constraint>

         <security-constraint>
                 <web-resource-collection>
                         <web-resource-name>favicon.ico for browser
tabs</web-resource-name>
                         <url-pattern>/favicon.ico</url-pattern>
                 </web-resource-collection>
                 <user-data-constraint>
                         <transport-guarantee>CONFIDENTIAL</transport-guarantee>
                 </user-data-constraint>
         </security-constraint>

         <security-constraint>
                 <web-resource-collection>
                         <web-resource-name>agentapp</web-resource-name>
                         <url-pattern>/agentapp/*</url-pattern>
                 </web-resource-collection>
                 <user-data-constraint>
                         <transport-guarantee>CONFIDENTIAL</transport-guarantee>
                 </user-data-constraint>
         </security-constraint>

The last two overlap with the first, so a union of them occurs.

The /agentapp/ could be deployed in it's own war, or exploded dir, with 
a separate web.xml.  The favicon is a bit more tricky, not sure you can 
do what you want to as long as the first rule exists.


p


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org