File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
The moose likes Tomcat and the fly likes Tomcat with multiple auth-constraints Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Products » Tomcat
Bookmark "Tomcat with multiple auth-constraints" Watch "Tomcat with multiple auth-constraints" New topic

Tomcat with multiple auth-constraints

Doug Braidwood
Ranch Hand

Joined: Apr 04, 2010
Posts: 42
Hi, I'm having trouble understanding how multiple <auth-constraint> elements combine.

The servlet spec says "The special case of an authorization constraint that names no roles shall combine with any other constraints to override their affects and cause access to be precluded."

I set up a really simple test web.xml

What I would have expected is that the empty <auth-constraint> on Test1 meant that no-one could see anything. In practice, if I authenticate as a member I can see index.html fine.

Am I missing something?

I agree. Here's the link:
subject: Tomcat with multiple auth-constraints
jQuery in Action, 3rd edition