This week's book giveaway is in the Clojure forum.
We're giving away four copies of Clojure in Action and have Amit Rathore and Francis Avila on-line!
See this thread for details.
Win a copy of Clojure in Action this week in the Clojure forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

web.xml transport-guarantee CONFIDENTIAL without security-role ?

Per Lindberg
Ranch Hand
Posts: 48
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I no longer want to use roles for authorization. So I want to get rid of all 'role' stuff in my web.xml .
I still want to have <transport-guarantee>CONFIDENTIAL, of course.

Now, the surrounding<security-constraint> must have a non-empty <auth-constraint>, which in turn requires at least one declared <security-role>.

I think that it would be logical to just specify <auth-constraint>*</auth-constraint>, and then no <security-role> has to be specified (and the user don't need any role), but that appears to be wrong at least in Glassfish.
So... is it true that you can't get rid of roles entirely if you need HTTPS?

I agree. Here's the link:
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic