Re: Configuration for both protected and public URLs in a web application

[Brian Burch]

On 15/10/11 14:47, Yogesh Shankarappa wrote:
Thanks for your response. I tried your suggestion, unfortunately it did not
work.
There must be a solution for this as most web applications have both public
and
protected URLs.

*public URLs*
<security-constraint>
         <web-resource-collection>
             <web-resource-name>Unprotected</web-resource-name>
             <url-pattern>/public/welcome.html</url-pattern>
         </web-resource-collection>
</security-constraint>


Thanks in advance.


Thanks
Yogesh



Try to do like this for public urls Put an empty auth-constraint Tag

*public URLs*
<security-constraint>
         <web-resource-collection>
             <web-resource-name>Unprotected</web-resource-name>
             <url-pattern>/public/welcome.html</url-pattern>
         </web-resource-collection>
  <auth-constraint />
</security-constraint>




Reference:- http://java.dzone.com/articles/understanding-web-security

---------------------------------------------------------------------


Here is an extract from a web.xml that does what you want... it is the 
presence of a security constraint WITHOUT an auth constraint AT ALL that 
denotes public, unauthenticated access.

(Note... don't forget to permit access to the webapp base url if you 
have turned off directory browsing and you want the default servlet to 
redirect to your welcome page).

 <security-constraint>
   <display-name>Free Access</display-name>
   <web-resource-collection>
   <web-resource-name>unauthed users can GET only</web-resource-name>
     <!-- Define the context-relative URLs to be unprotected -->
     <!-- must unprotect base url to permit redirect to welcome! -->
     <url-pattern>/</url-pattern>
     <url-pattern>/myAccessControl.html</url-pattern>
     <url-pattern>/myError.jsp</url-pattern>
     <http-method>GET</http-method>
   </web-resource-collection>
   <!-- absence of <auth-constraint> means anyone at all can access 
this area -->
   <user-data-constraint>
     <transport-guarantee>CONFIDENTIAL</transport-guarantee>
   </user-data-constraint>
 </security-constraint>

 <security-constraint>
   <display-name>Restricted Access</display-name>
   <web-resource-collection>
     <web-resource-name>Protected web application</web-resource-name>
        <!-- Define the context-relative URL(s) to be protected -->
        <url-pattern>/*</url-pattern>
        <!-- no list of http methods, so ALL methods are protected -->
     </web-resource-collection>
     <auth-constraint>
       <!-- Only someone authenticated with one of these roles can 
access this area -->
       <role-name>manager</role-name>
       <role-name>family</role-name>
     </auth-constraint>
  </security-constraint>

Hope this sorts out your problem - when I had something similar it drove 
me nuts reading the servlet specs and the tomcat docs to work out 
exactly how to do it.

Brian

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org