Win a copy of Kotlin in Action this week in the Kotlin forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic

wildcard role-name question  RSS feed

Ian Perkins
Posts: 19
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

I know this question has been raised in various threads but I still cannot make Tomcat 5.0.27 agree with the Servlet 2.4 specification; I am sure this is due to something wrong in my set-up of the deployment descriptor but I am going round in circles trying to understand it.

My question concerns the <role-name> tag within <auth-constraint>. The spec says that a <role-name> of * is 'shorthand for all role names defined in the deployment descriptor' (p97).

I understand this to mean the sum of all the <role-name> elements inside <security-role> elements, in the deployment descriptor. In other words, if role XYZ is _not_ mentioned in the deployment descriptor then any user in role XYZ (in tomcat-users) will _not_ be allowed access to any resource collection where the role-name is set to *.

However, when I test this, I can achieve authorisation for ANY user in ANY role mentioned in the tomcat-users.xml file!

In my test, the resource being accessed from the client is a servlet so, in the doGet(...) method I use request.isUserInRole("xxx") on the roles actually described in the deployment descriptor and get 'false' returned in both cases.

The doGet(...) returns an HTML form which issues a POST request to a second servlet. This servlet has an auth-constraint applied to specific roles and, as expected, any user not in one of those roles is not authorised to access it.

I have tried everything I can think of so any suggestions/remarks would be much appreciated.

Thanks in advance!

Don't get me started about those stupid light bulbs.
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!