Register / Login
Win a copy of
The Java Performance Companion
this week in the
Tomcat with multiple auth-constraints
posted 6 years ago
Hi, I'm having trouble understanding how multiple <auth-constraint> elements combine.
spec says "The special case of an authorization constraint that names no roles shall combine with any other constraints to override their affects and cause access to be precluded."
I set up a really simple
<web-app> <login-config> <auth-method>BASIC</auth-method> </login-config> <security-role> <role-name>Member</role-name> </security-role> <security-constraint> <web-resource-collection> <web-resource-name>Test1</web-resource-name> <url-pattern>/*</url-pattern> </web-resource-collection> <auth-constraint/> </security-constraint> <security-constraint> <web-resource-collection> <web-resource-name>Test2</web-resource-name> <url-pattern>/index.html</url-pattern> </web-resource-collection> <auth-constraint> <role-name>Member</role-name> </auth-constraint> </security-constraint> </web-app>
What I would have expected is that the empty <auth-constraint> on Test1 meant that no-one could see anything. In practice, if I authenticate as a member I can see index.html fine.
Am I missing something?
security-constraint login error
Keep having to login with container based authentaction.
he doesn't ask for authenticate
Help in Adding two security constraint in web.xml
web.xml security constraint won't work with roles