posted 16 years ago
I have a web-app that I'd like for normal users to be able to log in, log out, add items, but not delete. I have the delete restricted to the admins (which have the ability to do log in, log out, delete and add). For simplicity sake, the delete button is on the same page, but when a normal user clicks it, Tomcat-5.5.23 does not ask for their login info like I thought it would. Basically I'd like the "Delete" button to be an elevated privilege that requires a new log in (kind of like root on a Linux box). Is that possible? When I am logged in as a regular user, and click on the "delete" button, I get a:
Security Constraint for users has this url-pattern:
Security Constraint for "admins" has this url-pattern:
Regular users are in the "users" group in tomcat-users.xml
Admins are in the "siteAdmin" & "users" group in tomcat-users.xml
Thanks for your help!