jQuery in Action, 3rd edition
The moose likes Tomcat and the fly likes Tomcat with multiple auth-constraints Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login

Win a copy of Make it so: Java DB Connections & Transactions this week in the JDBC forum!
JavaRanch » Java Forums » Products » Tomcat
Bookmark "Tomcat with multiple auth-constraints" Watch "Tomcat with multiple auth-constraints" New topic

Tomcat with multiple auth-constraints

Doug Braidwood
Ranch Hand

Joined: Apr 04, 2010
Posts: 42
Hi, I'm having trouble understanding how multiple <auth-constraint> elements combine.

The servlet spec says "The special case of an authorization constraint that names no roles shall combine with any other constraints to override their affects and cause access to be precluded."

I set up a really simple test web.xml

What I would have expected is that the empty <auth-constraint> on Test1 meant that no-one could see anything. In practice, if I authenticate as a member I can see index.html fine.

Am I missing something?

I agree. Here's the link: http://aspose.com/file-tools
subject: Tomcat with multiple auth-constraints
It's not a secret anymore!