I'm trying to configure <security-constraints> for two levels of security (admin & user). Lots of sources claim this can be done, but I have yet to find an example.
The following works most of the time (leaving out some details for clarity):
... here's the behavior:
... so it works OK unless one of the roles attempts to access the other's resource, at which point tomcat fails to fetch <form-error-page>. And if I comment out the second (/user) <security-constraint>, the behavior is the same for number (8) ... so the problem is not the two constraints, it's the two roles.
I tried duplicating the <form-login-config> and <security-role> nodes after each <security-constraint>, with just one <role-name> to match the resource, but that violates node-order rules, and tomcat won't go for it.
Does anybody know how this is done? Seems like needing separate admin and user protected resources would be somewhat common, n'cest pas?
I think the problem is in your logic; only a login failure would cause the container to serve up the retry page. In your case, it's not a login failure but an access denial. You might want to probably add an <error-page> element to your web.xml:
Of course, this would cause all 403s to display the retry page! So you'll have to think this through.
Also, you've not shown what happens when the roles try to access each other's resources but key in the wrong password. But I guess that works correctly, right?
A little extra info: You can't duplicate <login-config>, it's one per webapp.
If you have two security constraints with overlapping URL patterns, then the resulting <auth-constraint> is the UNION of the entries for each.
Also, an empty <auth-constraint> means no roles but a missing <auth-constraint> means all roles.