Tomcat - Security/web.xml configuration

[john69c]

--------------------------------------------------------------------------------

Hi,

I am trying to add some security features to an already developed web application. The problem is that I have modified the web.xml but the basic authorization doesn't work for 1 file..and that's the "index.html", which plays the role of the introduction page.All the rest demand identification first, before I browse them, except "index.html".

Also, when I tried to set as a "welcome-file" another page, it just didn't work!..it seems that this "index.html" is set as the default welcome-file no matter what I do.I have searched all the files that contain a reference to that page, or a redirection ot it but I couldn't find anything.

Here's the addition I did to the application's web.xml

<!-- SECURITY CONSTRAINT -->
<security-constraint>
<web-resource-collection>
<web-resource-name>SecureHello</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>customer</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
</login-config>
<!-- SECURITY ROLES -->
<security-role>
<role-name>customer</role-name>
</security-role>

<!-- WELCOME FILE IS NOT WORKING! -->
<welcome-file-list>
<welcome-file>
copyright.jsp
</welcome-file>
</welcome-file-list>

Ok..I tried a few things and some modifications.The problem is not the change the default welcome-page, but to include it to the restricted pages so that the basic authorization will work for it as well.

In the first place it seemed that only the index.html page was not included in the authorization.But then I made a second .html page to test it, and I included it in the web.xml of the application, as restricted.

Guess what..neither of the two html pages asked for login before browsing them.Somehow the html pages are totally un-affected, but this doesn't seem right.I know that basic authorization in tomcat works for any kind of pages...

Please, if anyone has anything to suggest let me know...

 

[sedj]

So to sum up, whatever page you set as the welcome-page , does not pass through the filter. is this correct ?

 

[john69c]

Yes, no matter what page I set as welcome-page doesn't appear.The default page remains the index.html

Another thing I forgot to mention is that this application uses Apache Server as well. I am under the impression that the role of the web server is assigned to Apache and Tomcat handles only the .jsp pages.

That's why the basic authentication I implemented in the application's web.xml, inside Tomcat, works only for the JS pages!

I found this in the tomcat.conf file:

#################### All jsp files will go to tomcat ####################
ApJServMount default /root

AddType text/jsp .jsp
AddHandler jserv-servlet .jsp

############################## Context mapping - all requests go to tomcat

ApJServMount /examples /root

Can I possibly modify it so that the html pages are also handled by tomcat as well?

 

[sedj]

Ahhh, well you didn't say that !

I've never used JServ, but I guess if you add :

AddType text/html .html
AddType text/html .htm


it might fix the problem ...


--------------------------------------------
Database Connection Pooling Software

http://www.primrose.org.uk

 

[john69c]

Thanks,

I already tried to modify tomcat.conf and added the

AddType text/html .html

but it didn't work.It seems that the modification must be done in the server.xml or somewhere in the Apache server configuration files.

SERVER.XML
<!-- Loaded last since JSP's that load-on-startup use request handling -->
<ContextInterceptor className="org.apache.tomcat.context.LoadOnStartupInterceptor"/>
<!-- ==================== Connectors ==================== -->
<!-- Normal HTTP
<Connector className="org.apache.tomcat.service.PoolTcpConnector">
<Parameter name="handler"
value="org.apache.tomcat.service.http.HttpConnectionHandler"/>
<Parameter name="port"
value="8080"/>
</Connector>
-->
<!--
Uncomment this for SSL support.
You _need_ to set up a server certificate if you want this
to work, and you need JSSE.
1. Add JSSE jars to CLASSPATH
2. Edit java.home/jre/lib/security/java.security
Add:
security.provider.2=com.sun.net.ssl.internal.ssl.Provider
3. Do: keytool -genkey -alias tomcat -keyalg RSA
RSA is essential to work with Netscape and IIS.
Use "changeit" as password. ( or add keypass attribute )
You don't need to sign the certificate.

You can set parameter keystore and keypass if you want
to change the default ( user.home/.keystore with changeit )
-->
<!--
<Connector className="org.apache.tomcat.service.PoolTcpConnector">
<Parameter name="handler" value="org.apache.tomcat.service.http.HttpConnectionHandler"/>
<Parameter name="port" value="8443"/>
<Parameter name="socketFactory" value="org.apache.tomcat.net.SSLSocketFactory"/>
</Connector>
-->
<!-- Apache AJP12 support. This is also used to shut down tomcat.
-->
<Connector className="org.apache.tomcat.service.PoolTcpConnector">
<Parameter name="handler" value="org.apache.tomcat.service.connector.Ajp12ConnectionHandler"/>
<Parameter name="port" value="8007"/>
</Connector>
<!-- Apache AJP13 support.
-->
<Connector className="org.apache.tomcat.service.PoolTcpConnector">
<Parameter name="handler" value="org.apache.tomcat.service.connector.Ajp13ConnectionHandler"/>
<Parameter name="port" value="8009"/>
</Connector>


I tried to un-comment some for the connectors to allow the Tomcat to handle http requests and in result the .html files as well, but that creates problems.It seems that Apache must be the web server and tomcat must handle all the .jsp and servlets.

But is there a way to allow tomcat to hanlde this specific file?the index.html?just this one..so that the authentication of tomcat can include it as well...???

 

[sedj]

Lets get things straight.

Is Apache or Tomcat handling html files ?

If it is Apache, then leave tomcat alone, and work out how to pass html files from apache --> tomcat.

If it is tomcat, then it means that apache IS forwarding html requests to tomcat, and the problem lies with tomcat.

You can determine if tomcat is servicing html requests by looking in your tomcat (NOT apache) access logs nad looking for a .html file request.

--------------------------------------------------
Free Database Connection Pooling Software

http://www.primrose.org.uk

 

[john69c]

I believe that Apache handles the html files. I think this is true cause my colleague implemented basic authentication in apache by modifying the "httpd" and "a.htaccess" files, but the authentication works only for the html files of the application.

In other words, the authentication i did in tomcat works only for the jsp files and the authentication he did in apache in his computer works only for the html files.

So..i suppose that somehow i can allow tomcat to handle the index.html file and include it in the basic authentication I did in my computer in tomcat server.

??

 

[loneito]

Does anyone know how to display a personalized 401 error page when the BASIC authentication dialog window's cancel button is clicked?

If I use the error page tag in the web.xml the personal error page page comes up before the dialog window (uname and password) shows; if I do not use the error page tag, I get the dialog window but on clicking cancel, it shows the default Tomcat 401 error page.

What am i doing wrong?

Thanks for the support.

 

[sedj]

This page tells you how (see the bottom of the page)

http://sxs.thexdershome.com/internet_serving/c581.html

--------------------------------------------------
Free Database Connection Pooling Software

http://www.primrose.org.uk