Granny's Programming Pearls
"inside of every large program is a small program struggling to get out"
The moose likes JSP and the fly likes security constraint - not working Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login

Win a copy of Java Interview Guide this week in the Jobs Discussion forum!
JavaRanch » Java Forums » Java » JSP
Bookmark "security constraint - not working" Watch "security constraint - not working" New topic

security constraint - not working

Sushma Sharma
Ranch Hand

Joined: Jun 02, 2005
Posts: 139
Hi All,
I am trying to constrain access to a file, which is a jsp and I have mapped it to in web.xml.
I did the following in my web.xml for the security constraints
<web-resource-name>JSTL Choose</web-resource-name>



Now, if I understand correctly, only admin and manager are allowed to call GET method on this SO, when I try to access this file using


I should get a browser's standard pop-up form asking for user name and password.
But, it is not asking for any user name and password and I am still able to see the result.
Am I doing something wrong? Do I have to explicitly set some variable to a user role first and then try accessing this file? I am really confused...
Any help is welcome,


Frank Zammetti
Ranch Hand

Joined: Dec 16, 2004
Posts: 136
Your understanding is *mostly* correct. Two points however...

Constraint-based security works by constraining resources, as the name implies. Keep in mind though that you are only constraining the GET method... *any* user can still use POST or other methods to access that constrained resources. This isn't causing you a problem, I don't think, but it is worth noteing because it trips people up a lot at first.

I think the cause of your problem is that you haven't completed the configuration... remember that the settings in web.xml do nothing without your container being made aware of the constraints. For instance, in Tomcat you would add entries to tomcat-users.xml for your admin and manager. In Websphere it's mappings in application.xml and ibm-application-bnd.xmi, other containers will be different still.

Otherwise, I don't see anything wrong with your configuration at first glance. So, Google for details on configuring whatever container you are in and I'd expect it to work.

-- <br />Frank W. Zammetti<br />Founder and Chief Software Architect<br />Omnytex Technologies<br /><a href="" target="_blank" rel="nofollow"></a><br />AIM/Yahoo: fzammetti<br />MSN:<br />Author of "Practical Ajax Projects With Java Technology"<br /> (2006, Apress, ISBN 1-59059-695-1)<br />and "JavaScript, DOM Scripting and Ajax Projects"<br /> (2007, Apress, ISBN 1-59059-816-4)<br />Java Web Parts - <a href="" target="_blank" rel="nofollow"></a><br /> Supplying the wheel, so you don't have to reinvent it!
Sushma Sharma
Ranch Hand

Joined: Jun 02, 2005
Posts: 139

I am using tomcat and I did created admin and manager roles before even trying this security constraint and that's why I can't understand why it's not working...
Is there anybody who got this problem before???
K Vidhyakar
Ranch Hand

Joined: Jul 10, 2005
Posts: 68

Even i too have the same problem.

This is by tomcat-users.xml

and my web.xml is

still i am able to access the page.
If my configuration is correct, am i need to do any other changes other than in these two files ?
I agree. Here's the link:
subject: security constraint - not working
It's not a secret anymore!