Hi,
This is my web.xml:
<web-app>
<security-constraint>
<web-resource-collection>
<web-resource-name>anything</web-resource-name>
<url-pattern>/aa/restrict.jsp</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
</auth-constraint>
</security-constraint>
<security-role>
<role-name>tomcat</role-name>
<role-name>role1</role-name>
<role-name>admin</role-name>
</security-role>
</web-app>
Where these three roles are present in my tomcat-users.xml. No other role is there in tomcat-users.xml.
And I have a
JSP restrict.jsp on root. When I access this JSP directly I shouldn't be allowed. As no <role-name> is present in <auth-constraint> means no role is allowed. But I can access this JSP. Why so?
Thanks.
[ June 02, 2007: Message edited by: ankur rathi ]
