• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

Tomcat only reads last security-constraint

 
Greenhorn
Posts: 16
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi,

i have 2 <security-constraint> in my web.xml but only the last one is used in my tomcat.


and:



i can only authenticate with users from the "first" role. Any ideas what the reason for this could be?

Thank you

Markus
 
Rancher
Posts: 989
9
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Where is the part where you declare all the roles that are part of your application?
 
Markus Neumaier
Greenhorn
Posts: 16
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
In my tomcat-users.xml:


 
E Armitage
Rancher
Posts: 989
9
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Don't you have <security-role> elements in your web.xml?
 
Markus Neumaier
Greenhorn
Posts: 16
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Yes I do. Beneathe the <security-constraint>:



But i'm actually not 100% certain about their use. I thought they are just some kind of declaration.
 
Sheriff
Posts: 10445
227
IntelliJ IDE Ubuntu
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I don't fully understand the question/problem. Can you explain what URL you are accessing and what authentication/authorization isn't working?
 
Markus Neumaier
Greenhorn
Posts: 16
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
The Problem is only with the <security-constraint> that grants Access to all Resources /*. Named: "AuthenticatedAccess"
But what it actually does it denys access to all resources located directly in the root directory. I can still access all resources in subdirectorys, which I find kind of odd...
Any Ideas why that could be the case?


Edit: The authorization seems to work, if i try to login with an invalid user I get forwarded to my error page. If i login with a user that is linked to the security-constraint "AuthenticatedAccess" i get a HTTP 403 access denied.

Edit2: Adding all Pages under the root-directory manually to the url-patterns worked. But I still dont understand the Problem. It worked until I added the second security-constraint.
 
Saloon Keeper
Posts: 27762
196
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I think it would be a good idea to grab a copy of the J2EE specification document from oracle.com and read up on the rules for security constraints. The spec should indicate precisely how URL patterns that are more generic than similar patterns are considered and what happens if a URL matches more that one pattern (or the pattern occurs twice).
 
reply
    Bookmark Topic Watch Topic
  • New Topic