Rahul Raviz wrote:
As per my understanding, this should allow url's with a content "update" and allow other pages only with AD credentials. But this is not working for me now. Its asking for the credentials even for the url with "update".
Let's clarify that a little.
The web.xml security actually has no idea whether or not AD is involved. All it does is interact with the Realm. If the Realm is AD, fine, but if I change to a
JDBC Realm in the server config, the webapp logic and web.xml don't change. AD is just acting as the designated repository for userid/password verification and for role-checking for authenticated users.
The role-defining URL patterns, as Jelle has said, are "absolute" URLs, where the URL pattern does not include deployment or parametric information. In other words, a URL like "http://www.javaranch.com:8080/app372/admin/profile.jsp?arg1=a&arg2=b" would be pattern-matched using only the "/admin/profile.jsp" part of the URL. Despite this, the URL pattern is truly a
URL pattern and not a
resource pattern, which means that "/admin/stats" doesn't necessarily resolve to a physical file in the WAR (if it's a
servlet URL pattern) and conversely that the security system cannot block access to "/images/pic1.jpg" if there are alternative URLs configured that can retrieve that resource but are not secured.