wood burning stoves
The moose likes Tomcat and the fly likes howto config two security-constraints? Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Products » Tomcat
Bookmark "howto config two security-constraints?" Watch "howto config two security-constraints?" New topic

howto config two security-constraints?

Paul Fenerty

Joined: May 06, 2005
Posts: 23

I'm trying to configure <security-constraints> for two levels of security (admin & user). Lots of sources claim this can be done, but I have yet to find an example.

The following works most of the time (leaving out some details for clarity):

... here's the behavior:

... so it works OK unless one of the roles attempts to access the other's resource, at which point tomcat fails to fetch <form-error-page>. And if I comment out the second (/user) <security-constraint>, the behavior is the same for number (8) ... so the problem is not the two constraints, it's the two roles.

I tried duplicating the <form-login-config> and <security-role> nodes after each <security-constraint>, with just one <role-name> to match the resource, but that violates node-order rules, and tomcat won't go for it.

Does anybody know how this is done? Seems like needing separate admin and user protected resources would be somewhat common, n'cest pas?


... jakarta-tomcat-5.0.28

- Thanks!
Tarun Yadav
Ranch Hand

Joined: Sep 20, 2007
Posts: 134
I think the problem is in your logic; only a login failure would cause the container to serve up the retry page. In your case, it's not a login failure but an access denial. You might want to probably add an <error-page> element to your web.xml:

Of course, this would cause all 403s to display the retry page! So you'll have to think this through.

Also, you've not shown what happens when the roles try to access each other's resources but key in the wrong password. But I guess that works correctly, right?

A little extra info:
You can't duplicate <login-config>, it's one per webapp.

If you have two security constraints with overlapping URL patterns, then the resulting <auth-constraint> is the UNION of the entries for each.

Also, an empty <auth-constraint> means no roles but a missing <auth-constraint> means all roles.
I agree. Here's the link: http://aspose.com/file-tools
subject: howto config two security-constraints?
It's not a secret anymore!