It's not a secret anymore!*
The moose likes Servlets and the fly likes Declarative Security using web.xml Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Android Security Essentials Live Lessons this week in the Android forum!
JavaRanch » Java Forums » Java » Servlets
Bookmark "Declarative Security using web.xml" Watch "Declarative Security using web.xml" New topic
Author

Declarative Security using web.xml

Faisal Khan
Ranch Hand

Joined: Jun 29, 2003
Posts: 285
Hi,
I have a couple of secure areas on a webapp and need to add more. I have the following in my deployment descriptor:

My question is how can i make it such that different security access groups access different web resource collection. For example, I need to secure a new area called discounts and the person who can have access to the discounts can not access the above two.
Thanks in advance for any help.
- Faisal -


The secret to creativity is knowing how to hide your sources.
Sri Basavanahally
Ranch Hand

Joined: Oct 07, 2003
Posts: 75
Check this out:
<security-constraint>
<web-resource-collection>
<web-resource-name>restricted methods</web-resource-name>
<url-pattern>/*</url-pattern>
<url-pattern>/acme/wholesale/*</url-pattern>
<url-pattern>/acme/retail/*</url-pattern>
<http-method>DELETE</http-method>
<http-method>PUT</http-method>
</web-resource-collection>
<auth-constraint/>
</security-constraint>

<security-constraint>
<web-resource-collection>
<web-resource-name>wholesale</web-resource-name>
<url-pattern>/acme/wholesale/*</url-pattern>
<http-method>GET</http-method>
<http-method>PUT</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>SALESCLERK</role-name>
</auth-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>wholesale</web-resource-name>
<url-pattern>/acme/wholesale/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>CONTRACTOR</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
...
...
That should do it.


UP THE IRONS !
Faisal Khan
Ranch Hand

Joined: Jun 29, 2003
Posts: 285
Thanks for your help.
 
It is sorta covered in the JavaRanch Style Guide.
 
subject: Declarative Security using web.xml
 
Similar Threads
Having serious trouble configuring Authorization
declarative authorization not working
Few guesses about security
Form based login
Authorization using JAAS with Struts2