Hi,

I am trying to set up Tomcat as a secure web engine.
>From the tutorial I understood that you should insert the following
lines in web.xml and the password protection should work.

This works perfectly for files in the root directory (/*), it does not
work for files in subdirectories, like /secure/*.

Have you have ever seen this problem before?

Thanks for any help

-- Rosaria

<!DOCTYPE web-app
  PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN"
  "http://java.sun.com/dtd/web-app_2_3.dtd">

<web-app>
...

<!-- SECURITY CONSTRAINT -->
<security-constraint>
<web-resource-collection>
  <web-resource-name>Secure Pages</web-resource-name>
  <description>Security constraint on all files</description>
  <url-pattern>/*</url-pattern>
  <url-pattern>/secure/*</url-pattern>
  <http-method>POST</http-method>
  <http-method>GET</http-method>
</web-resource-collection>

<auth-constraint>
  <description>admin can login</description>
  <role-name>admin</role-name>
</auth-constraint>

 <user-data-constraint>
  <description>SSL not required</description>
  <transport-guarantee>NONE</transport-guarantee>
 </user-data-constraint>
</security-constraint>

<session-config>
 <session-timeout>30</session-timeout>
</session-config>

<!-- LOGIN AUTHENTICATION -->

<login-config>
<auth-method>FORM</auth-method>
<realm-name>default</realm-name>
<form-login-config>
  <form-login-page>/LoginForm.html</form-login-page>
  <form-error-page>/LoginError.html</form-error-page>
</form-login-config>

</login-config>

<!-- SECURITY ROLES -->

<security-role>
 <description>The most secure role</description>
 <role-name>admin</role-name>
</security-role>

</web-app>


-- Rosaria



---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@(protected)
For additional commands, e-mail: tomcat-user-help@(protected)