how to write correct url-pattern in security-constraint in tomcat
v mi
Ranch Hand
Joined: May 27, 2003
Posts: 56
posted
hi all well my requirement is to protect all jsp pages outside the WEB-INF folder. my web.xml looks like this <security-constraint> <web-resource-collection> <web-resource-name>ABC</web-resource-name> <url-pattern>*.jsp</url-pattern> </web-resource-collection> <auth-constraint/> </security-constraint>
also i have the following in the web.xml <!-- The Usual Welcome File List --> <welcome-file-list> <welcome-file>index.jsp</welcome-file> </welcome-file-list>
now becoz of above i am not allowed access to index.jsp
i tried to change <url-pattern> to <url-pattern>beer/*.jsp</url-pattern> where beer is the name of context/ folder in web-apps in tomcat OR to <url-pattern>/beer/*.jsp</url-pattern>
but my tomcat(Apache Tomcat/5.0.19) gives error
so need to know all the rules which can be used to make valid url-pattern
thanks
thanks
William Brogden
Author and all-around good cowpoke
Rancher
Joined: Mar 22, 2000
Posts: 10635
posted
Is that the ../conf/web.xml file that you have modified or the web.xml specific to the /beer webapp? What is the exact error messge? Bill
v mi
Ranch Hand
Joined: May 27, 2003
Posts: 56
posted
hello bill, well i MODIFIED the web.xml in the web-apps ie under beer/web-inf/web.xml
THE ERROR LISTING IS(happens when u start tomcat) ..... Nov 23, 2004 11:34:30 AM org.apache.catalina.core.StandardEngine start INFO: Starting Servlet Engine: Apache Tomcat/5.0.19 Nov 23, 2004 11:34:30 AM org.apache.catalina.core.StandardHost start INFO: XML validation disabled Nov 23, 2004 11:34:33 AM org.apache.commons.digester.Digester endElement SEVERE: End event threw exception java.lang.reflect.InvocationTargetException at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source) at java.lang.reflect.Method.invoke(Unknown Source) at org.apache.commons.beanutils.MethodUtils.invokeMethod(MethodUtils.java:252) at org.apache.commons.digester.SetNextRule.end(SetNextRule.java:256) at org.apache.commons.digester.Rule.end(Rule.java:276) at org.apache.commons.digester.Digester.endElement(Digester.java:1058) at org.apache.xerces.parsers.AbstractSAXParser.endElement(Unknown Source) at org.apache.xerces.impl.dtd.XMLDTDValidator.endNamespaceScope(Unknown Source) at org.apache.xerces.impl.dtd.XMLDTDValidator.handleEndElement(Unknown Source) at org.apache.xerces.impl.dtd.XMLDTDValidator.endElement(Unknown Source) at org.apache.xerces.impl.XMLDocumentFragmentScannerImpl.scanEndElement(Unknown Source) at org.apache.xerces.impl.XMLDocumentFragmentScannerImpl$FragmentContentDispatcher.dispatch(Unknown Source) at org.apache.xerces.impl.XMLDocumentFragmentScannerImpl.scanDocument(Unknown Source) at org.apache.xerces.parsers.XML11Configuration.parse(Unknown Source) at org.apache.xerces.parsers.XML11Configuration.parse(Unknown Source) at org.apache.xerces.parsers.XMLParser.parse(Unknown Source) at org.apache.xerces.parsers.AbstractSAXParser.parse(Unknown Source) at org.apache.commons.digester.Digester.parse(Digester.java:1548) at org.apache.catalina.startup.ContextConfig.applicationConfig(ContextConfig.java:300) at org.apache.catalina.startup.ContextConfig.start(ContextConfig.java:641) at org.apache.catalina.startup.ContextConfig.lifecycleEvent(ContextConfig.java:253) at org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:166) at org.apache.catalina.core.StandardContext.start(StandardContext.java:4222) at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1126) at org.apache.catalina.core.StandardHost.start(StandardHost.java:832) at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1126) at org.apache.catalina.core.StandardEngine.start(StandardEngine.java:521) at org.apache.catalina.core.StandardService.start(StandardService.java:519) at org.apache.catalina.core.StandardServer.start(StandardServer.java:2345) at org.apache.catalina.startup.Catalina.start(Catalina.java:594) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source) at java.lang.reflect.Method.invoke(Unknown Source) at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:297) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:398) Caused by: java.lang.IllegalArgumentException: Invalid <url-pattern> /beer/*.jsp in security constraint at org.apache.catalina.core.StandardContext.addConstraint(StandardContext.java:1787) ... 38 more Nov 23, 2004 11:34:33 AM org.apache.catalina.startup.ContextConfig applicationConfig SEVERE: Parse error in application web.xml java.lang.IllegalArgumentException: Invalid <url-pattern> /beer/*.jsp in security constraint at org.apache.commons.digester.Digester.createSAXException(Digester.java:2540) at org.apache.commons.digester.Digester.createSAXException(Digester.java:2566) at org.apache.commons.digester.Digester.endElement(Digester.java:1061) at org.apache.xerces.parsers.AbstractSAXParser.endElement(Unknown Source) at org.apache.xerces.impl.dtd.XMLDTDValidator.endNamespaceScope(Unknown Source) at org.apache.xerces.impl.dtd.XMLDTDValidator.handleEndElement(Unknown Source) at org.apache.xerces.impl.dtd.XMLDTDValidator.endElement(Unknown Source) at org.apache.xerces.impl.XMLDocumentFragmentScannerImpl.scanEndElement(Unknown Source) at org.apache.xerces.impl.XMLDocumentFragmentScannerImpl$FragmentContentDispatcher.dispatch(Unknown Source) at org.apache.xerces.impl.XMLDocumentFragmentScannerImpl.scanDocument(Unknown Source) at org.apache.xerces.parsers.XML11Configuration.parse(Unknown Source) at org.apache.xerces.parsers.XML11Configuration.parse(Unknown Source) at org.apache.xerces.parsers.XMLParser.parse(Unknown Source) at org.apache.xerces.parsers.AbstractSAXParser.parse(Unknown Source) at org.apache.commons.digester.Digester.parse(Digester.java:1548) at org.apache.catalina.startup.ContextConfig.applicationConfig(ContextConfig.java:300) at org.apache.catalina.startup.ContextConfig.start(ContextConfig.java:641) at org.apache.catalina.startup.ContextConfig.lifecycleEvent(ContextConfig.java:253) at org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:166) at org.apache.catalina.core.StandardContext.start(StandardContext.java:4222) at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1126) at org.apache.catalina.core.StandardHost.start(StandardHost.java:832) at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1126) at org.apache.catalina.core.StandardEngine.start(StandardEngine.java:521) at org.apache.catalina.core.StandardService.start(StandardService.java:519) at org.apache.catalina.core.StandardServer.start(StandardServer.java:2345) at org.apache.catalina.startup.Catalina.start(Catalina.java:594) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source) at java.lang.reflect.Method.invoke(Unknown Source) at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:297) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:398) Nov 23, 2004 11:34:33 AM org.apache.catalina.startup.ContextConfig applicationConfig SEVERE: Occurred at line 106 column 23 Nov 23, 2004 11:34:33 AM org.apache.catalina.startup.ContextConfig start SEVERE: Marking this application unavailable due to previous error(s) Nov 23, 2004 11:34:33 AM org.apache.catalina.core.StandardContext start SEVERE: Error getConfigured Nov 23, 2004 11:34:33 AM org.apache.catalina.core.StandardContext start SEVERE: Context startup failed due to previous errors
thanks
William Brogden
Author and all-around good cowpoke
Rancher
Joined: Mar 22, 2000
Posts: 10635
posted
Well, thats pretty obvious
it doesn't like the way you wrote the url-pattern. I have never done this so I don't know what it is looking for, but if it was my problem I would try removing that leading /beer since url-pattern tags for a web-app don't usually mention the web-app directory.
Bill
Mike Curwen
Ranch Hand
Joined: Feb 20, 2001
Posts: 3689
posted
The exact problem with this pattern: "/beer/*.jsp "
Is that it starts with a '/', indicating a path mapping, and ends with and extension mapping.
URL-patterns must be one of the following:
- start with a '/' and end with a '/*', use this one for path patterns - start with a '*.' and end with a character, use this for extension mapping - some sequence of characters starting with '/' and not ending in '*', use this for exact matches.
If you want to secure the /beer pages, then the pattern should be "/beer/*"
v mi
Ranch Hand
Joined: May 27, 2003
Posts: 56
posted
hi thanks mike for the rules given for URL-patterns
i tried using <url-pattern>/beer/*</url-pattern> tomcat doesnot give error but when i try to access the jsp page, the page is rendered so i am using <url-pattern>*.jsp</url-pattern>.By this no access is given to my jsp pages
thanks
Mike Curwen
Ranch Hand
Joined: Feb 20, 2001
Posts: 3689
posted
ah. well if your application is being mapped to '/beer', then the url-pattern /beer/* would apply to urls like this:
Don't include the name of the application in any of your url-patterns (this applies not just to security constraints, but for any url-patterns anywhere).
Glenio Alexandre Nogueira
Greenhorn
Joined: Dec 02, 2004
Posts: 4
posted
Hi, if you want to filter many types of files, then add an extra filter-mapping. It works: <filter-mapping> <filter-name>Filter 1</filter-name> <url-pattern>*.do</url-pattern> </filter-mapping> <filter-mapping> <filter-name>Filter 1</filter-name> <url-pattern>*.jsp</url-pattern> </filter-mapping>
Bye. Gl�nio Alexandre
Originally posted by Mike Curwen: ah. well if your application is being mapped to '/beer', then the url-pattern /beer/* would apply to urls like this:
Don't include the name of the application in any of your url-patterns (this applies not just to security constraints, but for any url-patterns anywhere).
subject: how to write correct url-pattern in security-constraint in tomcat
