I am using Windows and Tomcat. I access the resource by the following URL: http://localhost:8080/ex0502/CheckedServlet. The CheckedServlet.java is just some simple codes to do test. It supports doGet() & doPost() methods. If the web.xml changes to the following codes, it works fine.
- Did the servlet intend to send 403? - If not, restart the browser you'll get through, "*" means all user roles are allowed to gain access to those resources you mean. - add declaratives below to web.xml, then authentication will pop up
[ January 14, 2007: Message edited by: Bob CHOI ]
Hard work rewards
Joined: Sep 15, 2004
There is a basic confusion here .... Security Constraint is NOT ABOUT ALLOWING ACCESS ... it is about CONSTRAINING ACCESS ....
When you say "*", you mean that you restrict all roles from accessing the resource. So you have to go through authentication.
If you want to allow all resources, then remove the security-constraint.
Joined: Nov 10, 2006
except from servlet spec p143 $17
"The auth-constraint indicates the user roles that should be permitted access to this resource collection."
Joined: Aug 25, 2006
I removed the following codes, it works. I am confused the "*". Thanks Manikandan!
if security mechanism is concerned simply with authentication(A) and authorization(A), the scenarioes below demostrate how the basics work.
- client access to "hello.jsp" is required to be AAed - hello.jsp is located under web app root "myapp" - Tomcat has created a few default user-password-role mapping, we'll use the one "tomcat-tomcat-tomcat"
1. client requesting http://localhost/myapp/hello.jsp 2. server asking for authentication 3. client popping up authentication window 4. user typing "tomcat", "tomcat" 5. client requesting http://localhost/myapp/hello.jsp with encoded authentication info 6. server verifying and authorizing the access 7. "hello tomcat" returning to client
web.xml config-2: use "*" for permitting all roles