Win a copy of Think Java: How to Think Like a Computer Scientist this week in the Java in General forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

<role-name>*</role-name> but still 403 error occured

 
Art Akc
Greenhorn
Posts: 4
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi, All. This is my web.xml



As you can see there is <role-name>*</role-name> in web.xml, but if i try to run this servlet , 403 error occured. I use Tomcate 7.
If i include

into my web.xml and log in correctly, the servlet works in a proper way. I have pointed <role-name>*</role-name> in web.xml and in this case the servlet should work with any roles and without authentication. Please, explain me the reason.
 
Jaikiran Pai
Marshal
Pie
Posts: 10447
227
IntelliJ IDE Ubuntu
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
<role-name>*</role-name> doesn't really mean any authenticated user. Instead, it means, allow access to authenticated users who belong to at least one role listed in the <security-role> element of the web.xml of the application. So in your example the user has to belong to admin role (since that's the only one listed). This is a behaviour change between how Tomcat handled this in previous versions. The behaviour can be controlled by setting the allRolesMode attribute of the Realm element in the server.xml. See this mailing list discussion for details http://www.mail-archive.com/users@tomcat.apache.org/msg16232.html.

The other way is to fix this the right way (as per the Servlet spec) by listing all the role-name(s) under the security-role element and then using * under the role-name of the security-constraint element.
 
Art Akc
Greenhorn
Posts: 4
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thank you Jaikiran Pai. This info is useful for me.
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic