This week's book giveaway is in the
We're giving away four copies of
Arduino in Action
and have Martin Evans, Joshua Noble, and Jordan Hochenbaum on-line!
A friendly place for programming greenhorns!
Big Moose Saloon
Register / Login
Win a copy of
Arduino in Action
this week in the
A special promo:
Enter your blog post or vote on a blogger to be featured in an upcoming Journal
Tomcat with multiple auth-constraints
Joined: Apr 04, 2010
May 17, 2010 02:17:21
Hi, I'm having trouble understanding how multiple <auth-constraint> elements combine.
spec says "The special case of an authorization constraint that names no roles shall combine with any other constraints to override their affects and cause access to be precluded."
I set up a really simple
<web-app> <login-config> <auth-method>BASIC</auth-method> </login-config> <security-role> <role-name>Member</role-name> </security-role> <security-constraint> <web-resource-collection> <web-resource-name>Test1</web-resource-name> <url-pattern>/*</url-pattern> </web-resource-collection> <auth-constraint/> </security-constraint> <security-constraint> <web-resource-collection> <web-resource-name>Test2</web-resource-name> <url-pattern>/index.html</url-pattern> </web-resource-collection> <auth-constraint> <role-name>Member</role-name> </auth-constraint> </security-constraint> </web-app>
What I would have expected is that the empty <auth-constraint> on Test1 meant that no-one could see anything. In practice, if I authenticate as a member I can see index.html fine.
Am I missing something?
I agree. Here's the link:
- it saves me about five hours per week
subject: Tomcat with multiple auth-constraints
he doesn't ask for authenticate
Keep having to login with container based authentaction.
Help in Adding two security constraint in web.xml
security-constraint login error
web.xml security constraint won't work with roles
All times are in JavaRanch time: GMT-6 in summer, GMT-7 in winter
| Powered by
Copyright © 1998-2013