I'm fairly new to configuring server.xml and web.xml files in tomcat 4.
I am trying to require password authentication for access to a
subdirectory called "update" located within ROOT. I want all files
located directly in ROOT to be available without a password. I am having
trouble determing the correct path to use for the <url-pattern> in the
web.xml file in WEB-INF so that only the files in the subdirectory
"update" within ROOT are password protected.
If I use <url-pattern>/*</url-pattern> then no pages on the site may be
accessed without a password no matter their location. I am presuming
that this means I have set up the basic authentication correctly in
tomcat-users.xml, server.xml (in conf) and web.xml (in WEB-INF) but that
I now simply need to put the correct path into the <url-pattern> in
web.xml.
However, when I use <url-pattern>/update/*</url-pattern>, I can access
all of the pages within the update directory without being asked for a
password. I've experimented with many different paths and have not had
luck with any. I have been careful to close my browser and open a new
one each time between tests. I've also tried restarting tomcat for every
new test. Nothing works.
In my server.xml file, <Realm
className="org.apache.catalina.realm.MemoryRealm" /> is located within
the <Engine> tag (not within <Host> or <context>).
Have hunted around for a solution without much luck. I assume that I am
missing something very simple.
Here is my complete web.xml file...
<web-app>
<display-name>SMUpdate App webxml</display-name>
<!-- form login security tags -->
<security-constraint>
<web-resource-collection>
<web-resource-name>SMUpdate</web-resource-name>
<url-pattern>/*</url-pattern> <!-- this works but causes password
to be required for access to all pages on entire site -->
</web-resource-collection>
<auth-constraint>
<role-name>smupdate</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>SMUpdate</realm-name>
</login-config>
<servlet-mapping>
<servlet-name>invoker</servlet-name>
<url-pattern>/servlet/*</url-pattern>
</servlet-mapping>
</web-app>
Any suggestions would be very much appreciated.
Thanks.