struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Navjot Singh" <navjo...@net4india.net>
Subject [OT] - Realm Security - How to set overlapping constraints?
Date Sat, 05 Jul 2003 16:09:34 GMT
hi,

It may be quite simple but it's not working for me.

I have a set of servlets
/myapp/p/ab.do 
/myapp/p/groups.do 
/myapp/p/contacts.do

AND I want all of them to be accessible to roles "user" and "admin".

There is 1 more servlet that MUST be accessible ONLY to "admin"
/myapp/p/status.do

I am setting config like given below. 
But still, "user" roles are being able to access status.do

What am i doing wrong?

thanks for any help
-navjot singh

__My XML Declarations__

<security-constraint>
	<web-resource-collection>
	  <web-resource-name>Protected</web-resource-name>
	  <url-pattern>*.do</url-pattern>
	  <http-method>GET</http-method>
	  <http-method>POST</http-method>
	</web-resource-collection>
	<auth-constraint>
	  <role-name>user</role-name>
	  <role-name>admin</role-name>
	</auth-constraint>
</security-constraint>

<security-constraint>
	<web-resource-collection>
	  <web-resource-name>Show Status</web-resource-name>
	  <url-pattern>/p/status.do</url-pattern>
	  <http-method>GET</http-method>
	  <http-method>POST</http-method>
	</web-resource-collection>
	<auth-constraint>
	  <role-name>admin</role-name>
	</auth-constraint>
</security-constraint>

  <security-role>
	  <role-name>admin</role-name>
  </security-role>

  <security-role>
	  <role-name>user</role-name>
  </security-role>

---------------
regards
Navjot Singh
Net4India Ltd.


---------------------------------------------------------------------
To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: struts-user-help@jakarta.apache.org


Mime
View raw message