File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
http://aspose.com/file-tools
The moose likes Web Component Certification (SCWCD/OCPJWCD) and the fly likes Is it Tomcat's Bug or My Mistake Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of EJB 3 in Action this week in the EJB and other Java EE Technologies forum!
JavaRanch » Java Forums » Certification » Web Component Certification (SCWCD/OCPJWCD)
Bookmark "Is it Tomcat Watch "Is it Tomcat New topic
Author

Is it Tomcat's Bug or My Mistake

Alec Lee
Ranch Hand

Joined: Jan 28, 2004
Posts: 569
My web.xml is listed below. I tested with tomcat 5.0.29 and requested /first.jsp. I was prompted with a login prompt and I entered the password for an account with "admin" role. Unexpectedly, the /first.jsp was displayed!!

My understanding is that this should not had happen because I used <auth-contraint /> in my second <security-contraint>. Could anyone help me to spot any mistake I may have made.

Thx

<web-app xmlns="http://java.sun.com/xml/ns/j2ee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd"
version="2.4">
<!-- security-constran -->
<security-constraint>
<web-resource-collection>
<web-resource-name>hello</web-resource-name>
<url-pattern>/first.jsp</url-pattern>
<http-method>POST</http-method>
<http-method>GET</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>admin</role-name>
</auth-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>ss</web-resource-name>
<url-pattern>/first.jsp</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint />
</security-constraint>

<!-- <login-config> -->
<login-config>
<auth-method>BASIC</auth-method>
</login-config>
<!-- <security-role> -->
<security-role>
<role-name>admin</role-name>
<role-name>tomcat</role-name>
</security-role>
<!-- <welcome-file-list> -->
<!-- <filter> -->
</web-app>
Sergey Tyulkin
Ranch Hand

Joined: May 10, 2005
Posts: 87
Seems to be Tomcat bug
Esam Ahmed
Ranch Hand

Joined: Aug 10, 2005
Posts: 101
How did <role-name> map to the security "realm" ?

You might want to add these and see how it behaves:

<tomcat-users>

<role rolename="admin"/>
<role rolename="user"/>


<user username="myName" password="myPassword" roles="admin, user" />
<user username="yourName" password="yourPassword" roles="admin" />

</tomcat-users>

Esam
[ September 16, 2005: Message edited by: Esam Ahmed ]

Esam<br />SCJP 1.4, SCWCD 1.4
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Is it Tomcat's Bug or My Mistake
 
Similar Threads
Role management
Form-based Security
about tomcat-users.xml
Doubt on authentication
Security issue