• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other all forums
this forum made possible by our volunteer staff, including ...
  • Campbell Ritchie
  • Devaka Cooray
  • Liutauras Vilda
  • Jeanne Boyarsky
  • Bear Bibeault
  • Paul Clapham
  • Knute Snortum
  • Rob Spoor
Saloon Keepers:
  • Tim Moores
  • Ron McLeod
  • Piet Souris
  • Stephan van Hulst
  • Carey Brown
  • Tim Holloway
  • Frits Walraven
  • Ganesh Patekar

howto config two security-constraints?

Posts: 23
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

I'm trying to configure <security-constraints> for two levels of security (admin & user). Lots of sources claim this can be done, but I have yet to find an example.

The following works most of the time (leaving out some details for clarity):

... here's the behavior:

... so it works OK unless one of the roles attempts to access the other's resource, at which point tomcat fails to fetch <form-error-page>. And if I comment out the second (/user) <security-constraint>, the behavior is the same for number (8) ... so the problem is not the two constraints, it's the two roles.

I tried duplicating the <form-login-config> and <security-role> nodes after each <security-constraint>, with just one <role-name> to match the resource, but that violates node-order rules, and tomcat won't go for it.

Does anybody know how this is done? Seems like needing separate admin and user protected resources would be somewhat common, n'cest pas?


... jakarta-tomcat-5.0.28

- Thanks!
Ranch Hand
Posts: 134
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I think the problem is in your logic; only a login failure would cause the container to serve up the retry page. In your case, it's not a login failure but an access denial. You might want to probably add an <error-page> element to your web.xml:

Of course, this would cause all 403s to display the retry page! So you'll have to think this through.

Also, you've not shown what happens when the roles try to access each other's resources but key in the wrong password. But I guess that works correctly, right?

A little extra info:
You can't duplicate <login-config>, it's one per webapp.

If you have two security constraints with overlapping URL patterns, then the resulting <auth-constraint> is the UNION of the entries for each.

Also, an empty <auth-constraint> means no roles but a missing <auth-constraint> means all roles.
Consider Paul's rocket mass heater.
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!