A friendly place for programming greenhorns!
Big Moose Saloon
Register / Login
Win a copy of
this week in the
Tomcat with multiple auth-constraints
Joined: Apr 04, 2010
May 17, 2010 02:17:21
Hi, I'm having trouble understanding how multiple <auth-constraint> elements combine.
spec says "The special case of an authorization constraint that names no roles shall combine with any other constraints to override their affects and cause access to be precluded."
I set up a really simple
<web-app> <login-config> <auth-method>BASIC</auth-method> </login-config> <security-role> <role-name>Member</role-name> </security-role> <security-constraint> <web-resource-collection> <web-resource-name>Test1</web-resource-name> <url-pattern>/*</url-pattern> </web-resource-collection> <auth-constraint/> </security-constraint> <security-constraint> <web-resource-collection> <web-resource-name>Test2</web-resource-name> <url-pattern>/index.html</url-pattern> </web-resource-collection> <auth-constraint> <role-name>Member</role-name> </auth-constraint> </security-constraint> </web-app>
What I would have expected is that the empty <auth-constraint> on Test1 meant that no-one could see anything. In practice, if I authenticate as a member I can see index.html fine.
Am I missing something?
It is sorta covered in the
JavaRanch Style Guide
subject: Tomcat with multiple auth-constraints
security-constraint login error
Keep having to login with container based authentaction.
he doesn't ask for authenticate
Help in Adding two security constraint in web.xml
web.xml security constraint won't work with roles
All times are in JavaRanch time: GMT-6 in summer, GMT-7 in winter
| Powered by
Copyright © 1998-2014