TitleEnhancement: tweaked web.xml
Date17-Nov-2004 05:57:43 EET
PageProvider usedN/A
Servlet ContainerTomcat 5.0.19
Browser versionSafari
Java versionSun 1.4.2_05-b04

Hi Janne --

Slight enhancement for those folks (like me) who use container-managed security. The existing security constraints in web.xml (commented-out by default) are decent, but could be tightened in some areas and loosened in others.

Below are the constraints I use, which work pretty well. They protect "write" activities like editing and uploading, but permit unauthenticated downloading of attachments. Note that /attach has a constraint that requires auth for DELETE, POST and PUT operations, but not for GET or HEAD.

           <web-resource-name>Protected Area</web-resource-name>

           <web-resource-name>Read-only Area</web-resource-name>


Thanks and keep up the fine work! --Andrew Jaquith

Added for 2.1.122. Good catch, I had forgotten about this. (I skipped LoginRedirect.jsp, since we don't have it :). I also left in UserPreferences.jsp, since in the future you might want to be able to do things like viewing preferences. I added Comment.jsp.)

-- JanneJalkanen

Add new attachment

Only authorized users are allowed to upload new attachments.
« This page (revision-6) was last changed on 07-Jun-2005 15:52 by