Win a copy of Functional Reactive Programming this week in the Other Languages forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Tomcat only reads last security-constraint

 
Markus Neumaier
Greenhorn
Posts: 16
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi,

i have 2 <security-constraint> in my web.xml but only the last one is used in my tomcat.


and:



i can only authenticate with users from the "first" role. Any ideas what the reason for this could be?

Thank you

Markus
 
E Armitage
Rancher
Posts: 989
9
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Where is the part where you declare all the roles that are part of your application?
 
Markus Neumaier
Greenhorn
Posts: 16
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
In my tomcat-users.xml:


 
E Armitage
Rancher
Posts: 989
9
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Don't you have <security-role> elements in your web.xml?
 
Markus Neumaier
Greenhorn
Posts: 16
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Yes I do. Beneathe the <security-constraint>:



But i'm actually not 100% certain about their use. I thought they are just some kind of declaration.
 
Jaikiran Pai
Marshal
Pie
Posts: 10447
227
IntelliJ IDE Ubuntu
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I don't fully understand the question/problem. Can you explain what URL you are accessing and what authentication/authorization isn't working?
 
Markus Neumaier
Greenhorn
Posts: 16
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
The Problem is only with the <security-constraint> that grants Access to all Resources /*. Named: "AuthenticatedAccess"
But what it actually does it denys access to all resources located directly in the root directory. I can still access all resources in subdirectorys, which I find kind of odd...
Any Ideas why that could be the case?


Edit: The authorization seems to work, if i try to login with an invalid user I get forwarded to my error page. If i login with a user that is linked to the security-constraint "AuthenticatedAccess" i get a HTTP 403 access denied.

Edit2: Adding all Pages under the root-directory manually to the url-patterns worked. But I still dont understand the Problem. It worked until I added the second security-constraint.
 
Tim Holloway
Saloon Keeper
Posts: 18303
56
Android Eclipse IDE Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I think it would be a good idea to grab a copy of the J2EE specification document from oracle.com and read up on the rules for security constraints. The spec should indicate precisely how URL patterns that are more generic than similar patterns are considered and what happens if a URL matches more that one pattern (or the pattern occurs twice).
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic