[SOLVED] Having a secure folder on Tomcat

pmorin · 09-09-2011, 03:29 AM

Hi !

I have a folder I would like to secure by a password on my Tomcat Server.
On this server, I have Liferay 6 CE and I created a folder "/html/admin" on the Liferay's root folder.
I added a user in tomcat-users.xml and I've been told here that I should add some lines in the web.xml of my application (Liferay in my case).
I'd like to reproduce the behavior we can have with a .htaccess on Apache.

The problem :
When I added the following lines in Liferay's web.xml, the app is not working.
I think the problem comes from the fact that there is already some security constraints in the file, but I don't know how to do what I want : securing /html/admin files by a password without breaking all the Liferay default's configuration.

Here are the lines I added in the web.xml file (between <web-app> tags) :

Code:

<security-constraint>
        <web-resource-collection>
                <web-resource-name>Ressource</web-resource-name>
                <url-pattern>/html/admin/*</url-pattern>
        </web-resource-collection>
        <auth-constraint>
                <role-name>admin</role-name>
        </auth-constraint>
</security-constraint>

<login-config>
        <auth-method>BASIC</auth-method>
        <realm-name>Admin Liferay pages</realm-name>
</login-config>

<security-role>
        <description>Securing /html/admin/</description>
        <role-name>admin</role-name>
</security-role>

Can you help me ?

Thanks !
Pit

pmorin · 09-12-2011, 10:49 AM

Nobody knows if we can have several "security-constraint" tags in "web.xml" ?

pmorin · 09-15-2011, 09:10 AM

Really ? No one knows ?

Maybe I'm not clear enough. In that case, please, tell me so.

pmorin · 09-26-2011, 05:15 AM

You can't have more than one "login-config", so you can't have an ".htaccess like" protected folder on a webapps using a "form" authentication method.
In my case, using Liferay, it's impossible to have a folder protected by "tomcat-users.xml" users.

To achieve what I wanted, I created a new webapp :
webapps/protectedfolders/WEB-INF/web.xml
webapps/protectedfolders/protected/

With webapps/protectedfolders/WEB-INF/web.xml :

Code:

<?xml version="1.0"?>
<!DOCTYPE web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN" "http://java.sun.com/dtd/web-app_2_3.dtd">

<web-app>
    <display-name>protectedfolder</display-name>
    <security-constraint>
        <web-resource-collection>
            <web-resource-name>Protected files</web-resource-name>
            <url-pattern>/protected/*</url-pattern>
        </web-resource-collection>
        <auth-constraint>
            <role-name>admin</role-name>
        </auth-constraint>
    </security-constraint>

    <login-config>
        <auth-method>BASIC</auth-method>
        <realm-name>default</realm-name>
    </login-config>

    <security-role>
        <description>Securing protected pages</description>
        <role-name>admin</role-name>
    </security-role>
</web-app>