my dog learned polymorphism*
The moose likes Tomcat and the fly likes Exclude url from authorized access-web.xml Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of The Java EE 7 Tutorial Volume 1 or Volume 2 this week in the Java EE forum
or jQuery UI in Action in the JavaScript forum!
JavaRanch » Java Forums » Products » Tomcat
Bookmark "Exclude url from authorized access-web.xml" Watch "Exclude url from authorized access-web.xml" New topic
Author

Exclude url from authorized access-web.xml

Rahul Raviz
Greenhorn

Joined: Jun 14, 2012
Posts: 2
Hi All,

I have an issue with allowing access to a page which is secured using active directory authentication. I want some pages/content to be excluded from this. Following is my web.xml file under conf of tomcat.




As per my understanding, this should allow url's with a content "update" and allow other pages only with AD credentials. But this is not working for me now. Its asking for the credentials even for the url with "update".

Tomcat Version:7
Env:Linux
Url:http://myserver.com:8080/solar/index.jsp. Here its asking the credentials, its fine and as expected.

url with "update" in the address: http://myserver.com:8080/solar/site/update. When I access this url, its still asking for the credentials.

I am not really sure why this is happening. Could anyone here can help me on this?
Jelle Klap
Bartender

Joined: Mar 10, 2008
Posts: 1761
    
    7

Well the /update/* url-pattern only allows unsecured access to URLs that are relative to <webapp-root>/update, which in this case would be any that matches URL http://myserver.com:8080/solar/update/<whatever>.
The pattern does not apply to the URL you want unrestricted access to: http://myserver.com:8080/solar/site/update (take note of the site portion).
My guess is you're looking for wildcard behavior that allows unrestricted access to any URL relative to the webapp-root that contains update, correct?


Build a man a fire, and he'll be warm for a day. Set a man on fire, and he'll be warm for the rest of his life.
Rahul Raviz
Greenhorn

Joined: Jun 14, 2012
Posts: 2
Exactly thats what I am looking for, a wild card. But how??

I tried /solar/site/update.. but nothing is happening even then. Its still asking for the credentials.
Jelle Klap
Bartender

Joined: Mar 10, 2008
Posts: 1761
    
    7

That's because you're including solar in the url-pattern, which is implied as the webapp-root, and shouldn't be explicitly included.
Try changing the url-pattern to /site/update/* and you should have unrestricted access to the URL http://myserver.com:8080/solar/site/update.
Then see if you can figure out the wildcard logic for the url-pattern definition, which shouldn't be hard because you're already using it for the base restriction pattern...
Tim Holloway
Saloon Keeper

Joined: Jun 25, 2001
Posts: 16019
    
  20

Rahul Raviz wrote:
As per my understanding, this should allow url's with a content "update" and allow other pages only with AD credentials. But this is not working for me now. Its asking for the credentials even for the url with "update".


Let's clarify that a little.

The web.xml security actually has no idea whether or not AD is involved. All it does is interact with the Realm. If the Realm is AD, fine, but if I change to a JDBC Realm in the server config, the webapp logic and web.xml don't change. AD is just acting as the designated repository for userid/password verification and for role-checking for authenticated users.

The role-defining URL patterns, as Jelle has said, are "absolute" URLs, where the URL pattern does not include deployment or parametric information. In other words, a URL like "http://www.javaranch.com:8080/app372/admin/profile.jsp?arg1=a&arg2=b" would be pattern-matched using only the "/admin/profile.jsp" part of the URL. Despite this, the URL pattern is truly a URL pattern and not a resource pattern, which means that "/admin/stats" doesn't necessarily resolve to a physical file in the WAR (if it's a servlet URL pattern) and conversely that the security system cannot block access to "/images/pic1.jpg" if there are alternative URLs configured that can retrieve that resource but are not secured.


Customer surveys are for companies who didn't pay proper attention to begin with.
 
Consider Paul's rocket mass heater.
 
subject: Exclude url from authorized access-web.xml