• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

howto config two security-constraints?

 
Greenhorn
Posts: 23
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hello,

I'm trying to configure <security-constraints> for two levels of security (admin & user). Lots of sources claim this can be done, but I have yet to find an example.

The following works most of the time (leaving out some details for clarity):



... here's the behavior:



... so it works OK unless one of the roles attempts to access the other's resource, at which point tomcat fails to fetch <form-error-page>. And if I comment out the second (/user) <security-constraint>, the behavior is the same for number (8) ... so the problem is not the two constraints, it's the two roles.

I tried duplicating the <form-login-config> and <security-role> nodes after each <security-constraint>, with just one <role-name> to match the resource, but that violates node-order rules, and tomcat won't go for it.

Does anybody know how this is done? Seems like needing separate admin and user protected resources would be somewhat common, n'cest pas?

server.xml:






... jakarta-tomcat-5.0.28

- Thanks!
 
Ranch Hand
Posts: 134
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I think the problem is in your logic; only a login failure would cause the container to serve up the retry page. In your case, it's not a login failure but an access denial. You might want to probably add an <error-page> element to your web.xml:



Of course, this would cause all 403s to display the retry page! So you'll have to think this through.

Also, you've not shown what happens when the roles try to access each other's resources but key in the wrong password. But I guess that works correctly, right?

A little extra info:
You can't duplicate <login-config>, it's one per webapp.

If you have two security constraints with overlapping URL patterns, then the resulting <auth-constraint> is the UNION of the entries for each.

Also, an empty <auth-constraint> means no roles but a missing <auth-constraint> means all roles.
 
Consider Paul's rocket mass heater.
reply
    Bookmark Topic Watch Topic
  • New Topic