This week's book giveaway is in the Servlets forum.
We're giving away four copies of Murach's Java Servlets and JSP and have Joel Murach on-line!
See this thread for details.
The moose likes Servlets and the fly likes web.xml transport-guarantee CONFIDENTIAL without security-role ? Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Murach's Java Servlets and JSP this week in the Servlets forum!
JavaRanch » Java Forums » Java » Servlets
Bookmark "web.xml transport-guarantee CONFIDENTIAL without security-role ?" Watch "web.xml transport-guarantee CONFIDENTIAL without security-role ?" New topic
Author

web.xml transport-guarantee CONFIDENTIAL without security-role ?

Per Lindberg
Ranch Hand

Joined: Jan 17, 2008
Posts: 48
I no longer want to use roles for authorization. So I want to get rid of all 'role' stuff in my web.xml .
I still want to have <transport-guarantee>CONFIDENTIAL, of course.

Now, the surrounding<security-constraint> must have a non-empty <auth-constraint>, which in turn requires at least one declared <security-role>.

I think that it would be logical to just specify <auth-constraint>*</auth-constraint>, and then no <security-role> has to be specified (and the user don't need any role), but that appears to be wrong at least in Glassfish.
So... is it true that you can't get rid of roles entirely if you need HTTPS?

 
wood burning stoves
 
subject: web.xml transport-guarantee CONFIDENTIAL without security-role ?
 
Similar Threads
Roles and access Servlets, Jsp in Tomcat
Switching from https to http - this one again
J2EE Security
EJB and Security (JAAS)
Tomcat SSL issue with "user-data-constraint"