I know this question has been raised in various threads but I still cannot make Tomcat 5.0.27 agree with the Servlet 2.4 specification; I am sure this is due to something wrong in my set-up of the deployment descriptor but I am going round in circles trying to understand it.
My question concerns the <role-name> tag within <auth-constraint>. The spec says that a <role-name> of * is 'shorthand for all role names defined in the deployment descriptor' (p97).
I understand this to mean the sum of all the <role-name> elements inside <security-role> elements, in the deployment descriptor. In other words, if role XYZ is _not_ mentioned in the deployment descriptor then any user in role XYZ (in tomcat-users) will _not_ be allowed access to any resource collection where the role-name is set to *.
However, when I test this, I can achieve authorisation for ANY user in ANY role mentioned in the tomcat-users.xml file!
In my test, the resource being accessed from the client is a servlet so, in the doGet(...) method I use request.isUserInRole("xxx") on the roles actually described in the deployment descriptor and get 'false' returned in both cases.
The doGet(...) returns an HTML form which issues a POST request to a second servlet. This servlet has an auth-constraint applied to specific roles and, as expected, any user not in one of those roles is not authorised to access it.
I have tried everything I can think of so any suggestions/remarks would be much appreciated.