• Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

declarative authorization not working

 
ankur rathi
Ranch Hand
Posts: 3830
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi,

This is my web.xml:


<web-app>

<security-constraint>

<web-resource-collection>

<web-resource-name>anything</web-resource-name>

<url-pattern>/aa/restrict.jsp</url-pattern>

<http-method>GET</http-method>
<http-method>POST</http-method>

</web-resource-collection>

<auth-constraint>

</auth-constraint>

</security-constraint>

<security-role>
<role-name>tomcat</role-name>
<role-name>role1</role-name>
<role-name>admin</role-name>
</security-role>

</web-app>


Where these three roles are present in my tomcat-users.xml. No other role is there in tomcat-users.xml.

And I have a JSP restrict.jsp on root. When I access this JSP directly I shouldn't be allowed. As no <role-name> is present in <auth-constraint> means no role is allowed. But I can access this JSP. Why so?

Thanks.
[ June 02, 2007: Message edited by: ankur rathi ]
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic