My web.xml is listed below. I tested with
tomcat 5.0.29 and requested /first.jsp. I was prompted with a login prompt and I entered the password for an account with "admin" role. Unexpectedly, the /first.jsp was displayed!!
My understanding is that this should not had happen because I used <auth-contraint /> in my second <security-contraint>. Could anyone help me to spot any mistake I may have made.
Thx
<web-app xmlns="http://java.sun.com/xml/ns/j2ee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd"
version="2.4">
<!-- security-constran -->
<security-constraint>
<web-resource-collection>
<web-resource-name>hello</web-resource-name>
<url-pattern>/first.jsp</url-pattern>
<http-method>POST</http-method>
<http-method>GET</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>admin</role-name>
</auth-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>ss</web-resource-name>
<url-pattern>/first.jsp</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint />
</security-constraint>
<!-- <login-config> -->
<login-config>
<auth-method>BASIC</auth-method>
</login-config>
<!-- <security-role> -->
<security-role>
<role-name>admin</role-name>
<role-name>tomcat</role-name>
</security-role>
<!-- <welcome-file-list> -->
<!-- <filter> -->
</web-app>