Win a copy of Rust Web Development this week in the Other Languages forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
  • Tim Cooke
  • Campbell Ritchie
  • Ron McLeod
  • Liutauras Vilda
  • Jeanne Boyarsky
  • Junilu Lacar
  • Rob Spoor
  • Paul Clapham
Saloon Keepers:
  • Tim Holloway
  • Tim Moores
  • Jesse Silverman
  • Stephan van Hulst
  • Carey Brown
  • Al Hobbs
  • Piet Souris
  • Frits Walraven

wildcard role-name question

Posts: 19
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

I know this question has been raised in various threads but I still cannot make Tomcat 5.0.27 agree with the Servlet 2.4 specification; I am sure this is due to something wrong in my set-up of the deployment descriptor but I am going round in circles trying to understand it.

My question concerns the <role-name> tag within <auth-constraint>. The spec says that a <role-name> of * is 'shorthand for all role names defined in the deployment descriptor' (p97).

I understand this to mean the sum of all the <role-name> elements inside <security-role> elements, in the deployment descriptor. In other words, if role XYZ is _not_ mentioned in the deployment descriptor then any user in role XYZ (in tomcat-users) will _not_ be allowed access to any resource collection where the role-name is set to *.

However, when I test this, I can achieve authorisation for ANY user in ANY role mentioned in the tomcat-users.xml file!

In my test, the resource being accessed from the client is a servlet so, in the doGet(...) method I use request.isUserInRole("xxx") on the roles actually described in the deployment descriptor and get 'false' returned in both cases.

The doGet(...) returns an HTML form which issues a POST request to a second servlet. This servlet has an auth-constraint applied to specific roles and, as expected, any user not in one of those roles is not authorised to access it.

I have tried everything I can think of so any suggestions/remarks would be much appreciated.

Thanks in advance!

Consider Paul's rocket mass heater.
    Bookmark Topic Watch Topic
  • New Topic