Search within Tomcat
Register / Login
Win a copy of
Microservices Testing (Live Project)
this week in the
this forum made possible by our volunteer staff, including ...
Stephan van Hulst
Tomcat with multiple auth-constraints
posted 12 years ago
Number of slices to send:
Optional 'thank-you' note:
Hi, I'm having trouble understanding how multiple <auth-constraint> elements combine.
spec says "The special case of an authorization constraint that names no roles shall combine with any other constraints to override their affects and cause access to be precluded."
I set up a really simple
<web-app> <login-config> <auth-method>BASIC</auth-method> </login-config> <security-role> <role-name>Member</role-name> </security-role> <security-constraint> <web-resource-collection> <web-resource-name>Test1</web-resource-name> <url-pattern>/*</url-pattern> </web-resource-collection> <auth-constraint/> </security-constraint> <security-constraint> <web-resource-collection> <web-resource-name>Test2</web-resource-name> <url-pattern>/index.html</url-pattern> </web-resource-collection> <auth-constraint> <role-name>Member</role-name> </auth-constraint> </security-constraint> </web-app>
What I would have expected is that the empty <auth-constraint> on Test1 meant that no-one could see anything. In practice, if I authenticate as a member I can see index.html fine.
Am I missing something?
To get a wish, you need a genie. To get a genie, you need a lamp. To get a lamp, you need a tiny ad:
Free, earth friendly heat - from the CodeRanch trailboss
Boost this thread!
security-constraint login error
Keep having to login with container based authentaction.
he doesn't ask for authenticate
Help in Adding two security constraint in web.xml
web.xml security constraint won't work with roles