File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
The moose likes Tomcat and the fly likes <role-name>*</role-name> but still 403 error occured Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Products » Tomcat
Bookmark "<role-name>*</role-name> but still 403 error occured" Watch "<role-name>*</role-name> but still 403 error occured" New topic

<role-name>*</role-name> but still 403 error occured

Art Akc

Joined: Aug 20, 2012
Posts: 4
Hi, All. This is my web.xml

As you can see there is <role-name>*</role-name> in web.xml, but if i try to run this servlet , 403 error occured. I use Tomcate 7.
If i include

into my web.xml and log in correctly, the servlet works in a proper way. I have pointed <role-name>*</role-name> in web.xml and in this case the servlet should work with any roles and without authentication. Please, explain me the reason.
Jaikiran Pai

Joined: Jul 20, 2005
Posts: 10441

<role-name>*</role-name> doesn't really mean any authenticated user. Instead, it means, allow access to authenticated users who belong to at least one role listed in the <security-role> element of the web.xml of the application. So in your example the user has to belong to admin role (since that's the only one listed). This is a behaviour change between how Tomcat handled this in previous versions. The behaviour can be controlled by setting the allRolesMode attribute of the Realm element in the server.xml. See this mailing list discussion for details

The other way is to fix this the right way (as per the Servlet spec) by listing all the role-name(s) under the security-role element and then using * under the role-name of the security-constraint element.

[My Blog] [JavaRanch Journal]
Art Akc

Joined: Aug 20, 2012
Posts: 4
Thank you Jaikiran Pai. This info is useful for me.
I agree. Here's the link:
subject: <role-name>*</role-name> but still 403 error occured
It's not a secret anymore!