This week's book giveaway is in the OO, Patterns, UML and Refactoring forum. We're giving away four copies of Refactoring for Software Design Smells: Managing Technical Debt and have Girish Suryanarayana, Ganesh Samarthyam & Tushar Sharma on-line! See this thread for details.
As you can see there is <role-name>*</role-name> in web.xml, but if i try to run this servlet , 403 error occured. I use Tomcate 7.
If i include
into my web.xml and log in correctly, the servlet works in a proper way. I have pointed <role-name>*</role-name> in web.xml and in this case the servlet should work with any roles and without authentication. Please, explain me the reason.
<role-name>*</role-name> doesn't really mean any authenticated user. Instead, it means, allow access to authenticated users who belong to at least one role listed in the <security-role> element of the web.xml of the application. So in your example the user has to belong to admin role (since that's the only one listed). This is a behaviour change between how Tomcat handled this in previous versions. The behaviour can be controlled by setting the allRolesMode attribute of the Realm element in the server.xml. See this mailing list discussion for details http://email@example.com/msg16232.html.
The other way is to fix this the right way (as per the Servlet spec) by listing all the role-name(s) under the security-role element and then using * under the role-name of the security-constraint element.