Win a copy of Testing JavaScript Applications this week in the HTML Pages with CSS and JavaScript forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Bear Bibeault
  • Ron McLeod
  • Jeanne Boyarsky
  • Paul Clapham
Sheriffs:
  • Tim Cooke
  • Liutauras Vilda
  • Junilu Lacar
Saloon Keepers:
  • Tim Moores
  • Stephan van Hulst
  • Tim Holloway
  • fred rosenberger
  • salvin francis
Bartenders:
  • Piet Souris
  • Frits Walraven
  • Carey Brown

Tomcat 8 cannot read httpMethodConstraints

 
Bartender
Posts: 1924
13
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator


index.jsp


tomcat-users.xml:


The result is that mary , as a manager role is forbidden access the PUT.

But when I remove value= @HttpConstraint... , it works.
 
Saloon Keeper
Posts: 22284
151
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
That actually wasn't a very clear question.

But what I think you meant was that depending on the user's role, you could do one thing or the other, but not both.

J2EE security roles are not simple labels. It's perfectly legal for Mary to be both a Manager and an Employee:

Likewise, code security can allow users in more than one role:
 
Himai Minh
Bartender
Posts: 1924
13
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi, Tim,

This security rule says
1. manager is allowed to use doPut
2. employee are allowed to use the rest of the methods except doPut.

Suppose jane is employee and mary is manager as defined in tomcat-user.xml.
I was surprised to see that mary is not allowed to use doPut.


But when I changed the security rule :

Mary is allowed to use doPut.

 
Himai Minh
Bartender
Posts: 1924
13
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
It has something to do with using Put in the form.
I changed the code into :



Now, jane cannot access POST method and mary can access it.
The reason is the form in index.jsp cannot use method="PUT".
 
Himai Minh
Bartender
Posts: 1924
13
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I used curl.exe that I downloaded from https://curl.haxx.se/dlwiz/?type=bin. I used free 7Zip to unzip it.
I ran this command :


curl -u mary -X PUT http://localhost:8080/securityAnnot/MySecurity


It promotes me for password.
Then, the doPut method runs.

I think it was because my browser does not support PUT in form.
 
If we don't do the shopping, we won't have anything for dinner. And I've invited this tiny ad:
Thread Boost feature
https://coderanch.com/t/674455/Thread-Boost-feature
    Bookmark Topic Watch Topic
  • New Topic