aspose file tools*
The moose likes Tomcat and the fly likes Tomcat only reads last security-constraint Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Products » Tomcat
Bookmark "Tomcat only reads last security-constraint" Watch "Tomcat only reads last security-constraint" New topic
Author

Tomcat only reads last security-constraint

Markus Neumaier
Greenhorn

Joined: Oct 29, 2013
Posts: 16
Hi,

i have 2 <security-constraint> in my web.xml but only the last one is used in my tomcat.


and:



i can only authenticate with users from the "first" role. Any ideas what the reason for this could be?

Thank you

Markus
E Armitage
Rancher

Joined: Mar 17, 2012
Posts: 892
    
    9
Where is the part where you declare all the roles that are part of your application?
Markus Neumaier
Greenhorn

Joined: Oct 29, 2013
Posts: 16
In my tomcat-users.xml:


E Armitage
Rancher

Joined: Mar 17, 2012
Posts: 892
    
    9
Don't you have <security-role> elements in your web.xml?
Markus Neumaier
Greenhorn

Joined: Oct 29, 2013
Posts: 16
Yes I do. Beneathe the <security-constraint>:



But i'm actually not 100% certain about their use. I thought they are just some kind of declaration.
Jaikiran Pai
Marshal

Joined: Jul 20, 2005
Posts: 10102
    
165

I don't fully understand the question/problem. Can you explain what URL you are accessing and what authentication/authorization isn't working?

[My Blog] [JavaRanch Journal]
Markus Neumaier
Greenhorn

Joined: Oct 29, 2013
Posts: 16
The Problem is only with the <security-constraint> that grants Access to all Resources /*. Named: "AuthenticatedAccess"
But what it actually does it denys access to all resources located directly in the root directory. I can still access all resources in subdirectorys, which I find kind of odd...
Any Ideas why that could be the case?


Edit: The authorization seems to work, if i try to login with an invalid user I get forwarded to my error page. If i login with a user that is linked to the security-constraint "AuthenticatedAccess" i get a HTTP 403 access denied.

Edit2: Adding all Pages under the root-directory manually to the url-patterns worked. But I still dont understand the Problem. It worked until I added the second security-constraint.
Tim Holloway
Saloon Keeper

Joined: Jun 25, 2001
Posts: 16065
    
  21

I think it would be a good idea to grab a copy of the J2EE specification document from oracle.com and read up on the rules for security constraints. The spec should indicate precisely how URL patterns that are more generic than similar patterns are considered and what happens if a URL matches more that one pattern (or the pattern occurs twice).


Customer surveys are for companies who didn't pay proper attention to begin with.
 
 
subject: Tomcat only reads last security-constraint