File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
The moose likes Servlets and the fly likes turn off security constraint for a directory Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login

Win a copy of Java Interview Guide this week in the Jobs Discussion forum!
JavaRanch » Java Forums » Java » Servlets
Bookmark "turn off security constraint for a directory" Watch "turn off security constraint for a directory" New topic

turn off security constraint for a directory

Stephen Huey
Ranch Hand

Joined: Jul 15, 2003
Posts: 618
The webapp is located at \Tomcat\webapps\mywebapp and that directory has several subdirectories like \Tomcat\webapps\mywebapp\cache\ and \Tomcat\webapps\mywebapp\images\ and these are all protected by one global security constraint (the url-pattern is /* so everything in there is off-limits if you're not authenticated). I'm trying to figure out if there's a way to specify a directory that is an exception, meaning you could access a file in it (if you knew the URL to the file) without being authenticated. Bascially, how can I make a file in \Tomcat\webapps\mywebapp\newdirectory\ be accessible to you without you having to log in?

I'm posting the complete web.xml in mywebapp\WEB-INF\ so you can see what I'm talking about. Also, I'm trying to modify the original developer's work, so I've been using Windows Grep to try and find out where the web resource ADE Supply is mentioned elsewhere, but honestly, I can't find it! How does it know what directory is being specified? Also, do you think this is the same ADE Supply mentioned in the realm-name at the bottom, or is it just circumstantial that they have the same name?

Thanks for your help!

leon fan

Joined: Aug 02, 2004
Posts: 19
The whole security mechemism is defined by Java Servlet Specification and implemented by container,
I guess you couldn't find ADE string in your own program.

Seemed there don't exist a better way except list all constraint directory instead of '/*' in entity 'url-pattern', so user can access your exception file without being authenticated
I agree. Here's the link:
subject: turn off security constraint for a directory
It's not a secret anymore!