File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
A friendly place for programming greenhorns!
Big Moose Saloon
Register / Login
Tomcat with multiple auth-constraints
Joined: Apr 04, 2010
May 17, 2010 02:17:21
Hi, I'm having trouble understanding how multiple <auth-constraint> elements combine.
spec says "The special case of an authorization constraint that names no roles shall combine with any other constraints to override their affects and cause access to be precluded."
I set up a really simple
<web-app> <login-config> <auth-method>BASIC</auth-method> </login-config> <security-role> <role-name>Member</role-name> </security-role> <security-constraint> <web-resource-collection> <web-resource-name>Test1</web-resource-name> <url-pattern>/*</url-pattern> </web-resource-collection> <auth-constraint/> </security-constraint> <security-constraint> <web-resource-collection> <web-resource-name>Test2</web-resource-name> <url-pattern>/index.html</url-pattern> </web-resource-collection> <auth-constraint> <role-name>Member</role-name> </auth-constraint> </security-constraint> </web-app>
What I would have expected is that the empty <auth-constraint> on Test1 meant that no-one could see anything. In practice, if I authenticate as a member I can see index.html fine.
Am I missing something?
I agree. Here's the link:
subject: Tomcat with multiple auth-constraints
he doesn't ask for authenticate
web.xml security constraint won't work with roles
Help in Adding two security constraint in web.xml
security-constraint login error
Keep having to login with container based authentaction.
All times are in JavaRanch time: GMT-6 in summer, GMT-7 in winter
| Powered by
Copyright © 1998-2014