Reputation: 5942
tomcat and security-constraint: url pattern not working
I have 2 apps deployed to a tomcat server. One of them (app2) I want to be protected by tomcat.
Example of the resulting URLs:
localhost:8080/app1
localhost:8080/app2
i do not develop the apps itself, so i have no access to the application specific web.xml of the apps themselves. So I'm using the "global" one in the /conf folder of tomcat. This is what I added:
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns="http://xmlns.jcp.org/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_4_0.xsd" version="4.0">
<security-constraint>
<display-name>app2 Users</display-name>
<web-resource-collection>
<web-resource-name>app2 Content</web-resource-name>
<url-pattern>/app2/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
</security-constraint>
<security-role>
<role-name>*</role-name>
</security-role>
<login-config>
<auth-method>BASIC</auth-method>
</login-config>
<servlet>
<servlet-name>default</servlet-name>
<servlet-class>org.apache.catalina.servlets.DefaultServlet</servlet-class>
<init-param>
<param-name>debug</param-name>
<param-value>0</param-value>
</init-param>
<init-param>
<param-name>listings</param-name>
<param-value>false</param-value>
</init-param>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet>
<servlet-name>jsp</servlet-name>
<servlet-class>org.apache.jasper.servlet.JspServlet</servlet-class>
<init-param>
<param-name>fork</param-name>
<param-value>false</param-value>
</init-param>
<init-param>
<param-name>xpoweredBy</param-name>
<param-value>false</param-value>
</init-param>
<load-on-startup>3</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>default</servlet-name>
<url-pattern>/</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>jsp</servlet-name>
<url-pattern>*.jsp</url-pattern>
<url-pattern>*.jspx</url-pattern>
</servlet-mapping>
<session-config>
<session-timeout>30</session-timeout>
</session-config>
<!-- mime type mappings -->
</web-app>
IMHO this is all whats nessecary to protect app2, but i do not get a password promt, and app2 is accessible without basic auth. Here is the log:
15-Jul-2020 14:58:35.663 FINE [http-nio-8080-exec-1] org.apache.catalina.authenticator.AuthenticatorBase.invoke Security checking request GET /blabla2/
15-Jul-2020 14:58:35.664 FINE [http-nio-8080-exec-1] org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking constraint 'SecurityConstraint[blabla Content]' against GET /index.jsp --> false
15-Jul-2020 14:58:35.664 FINE [http-nio-8080-exec-1] org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking constraint 'SecurityConstraint[blabla Content]' against GET /index.jsp --> false
15-Jul-2020 14:58:35.664 FINE [http-nio-8080-exec-1] org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking constraint 'SecurityConstraint[blabla Content]' against GET /index.jsp --> false
15-Jul-2020 14:58:35.664 FINE [http-nio-8080-exec-1] org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking constraint 'SecurityConstraint[blabla Content]' against GET /index.jsp --> false
15-Jul-2020 14:58:35.665 FINE [http-nio-8080-exec-1] org.apache.catalina.realm.RealmBase.findSecurityConstraints No applicable constraint located
when setting the url-pattern to /* everything works, but (as expected) app1 is protected to.
Whats wrong with my url-pattern?
Upvotes: 2
Views: 4719
Answers (1)
Reputation: 131
The web.xml is only for server-wide configuration. You couldn't define settings that are related to just one deployment/context.
Since security-constraint work on deployment level, settings like url-pattern are related to the deployment web root.
Example:
<security-constraint>
<display-name>Authorized Only</display-name>
<web-resource-collection>
<web-resource-name>Authorized Only</web-resource-name>
<url-pattern>/hello</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
</security-constraint>
Would block /app1/hello and /app2/hello.
If you would like to add authorization to just one deployment, you have to set this setting inside the configuration of the deployment.
See https://stackoverflow.com/a/17948661/8087167 for an other example.
Upvotes: 1
Related Questions
- security-constraint in web.xml not working with http-method - Tomcat in a Docker container
- Security constraint in web.xml not getting applied to URL patterns having file extension
- Security-constraint web.xml url-pattern safety
- Multiple security-constraints in web.xml not working
- JSP Tomcat security-constraint always fails
- Basic authentication in Tomcat6 not working on directory
- url-pattern for security-constraint not working
- Tomcat Web xml URL-Pattern does not accept urls with parameters?
- Tomcat issue with url-pattern
- Tomcat secure access