Return-Path: Delivered-To: apmail-jakarta-struts-user-archive@apache.org Received: (qmail 19699 invoked from network); 5 Jul 2003 18:07:25 -0000 Received: from exchange.sun.com (192.18.33.10) by daedalus.apache.org with SMTP; 5 Jul 2003 18:07:25 -0000 Received: (qmail 14060 invoked by uid 97); 5 Jul 2003 18:09:54 -0000 Delivered-To: qmlist-jakarta-archive-struts-user@nagoya.betaversion.org Received: (qmail 14053 invoked from network); 5 Jul 2003 18:09:54 -0000 Received: from daedalus.apache.org (HELO apache.org) (208.185.179.12) by nagoya.betaversion.org with SMTP; 5 Jul 2003 18:09:54 -0000 Received: (qmail 17759 invoked by uid 500); 5 Jul 2003 18:07:09 -0000 Mailing-List: contact struts-user-help@jakarta.apache.org; run by ezmlm Precedence: bulk List-Unsubscribe: List-Subscribe: List-Help: List-Post: List-Id: "Struts Users Mailing List" Reply-To: "Struts Users Mailing List" Delivered-To: mailing list struts-user@jakarta.apache.org Received: (qmail 17745 invoked from network); 5 Jul 2003 18:07:09 -0000 Received: from icarus.apache.org (208.185.179.13) by daedalus.apache.org with SMTP; 5 Jul 2003 18:07:09 -0000 Received: (qmail 54848 invoked by uid 1059); 5 Jul 2003 18:07:09 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 5 Jul 2003 18:07:09 -0000 Date: Sat, 5 Jul 2003 11:07:09 -0700 (PDT) From: "Craig R. McClanahan" To: Struts Users Mailing List Subject: Re: [OT] - Realm Security - How to set overlapping constraints? In-Reply-To: Message-ID: <20030705110259.V50076@icarus.apache.org> References: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Spam-Rating: localhost 1.6.2 0/1000/N X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N On Sat, 5 Jul 2003, Navjot Singh wrote: > Date: Sat, 5 Jul 2003 21:39:34 +0530 > From: Navjot Singh > Reply-To: Struts Users Mailing List > To: Struts Users Mailing List > Subject: [OT] - Realm Security - How to set overlapping constraints? > > hi, > > It may be quite simple but it's not working for me. > > I have a set of servlets > /myapp/p/ab.do > /myapp/p/groups.do > /myapp/p/contacts.do > > AND I want all of them to be accessible to roles "user" and "admin". > > There is 1 more servlet that MUST be accessible ONLY to "admin" > /myapp/p/status.do > > I am setting config like given below. > But still, "user" roles are being able to access status.do > > What am i doing wrong? > > thanks for any help > -navjot singh > > __My XML Declarations__ > > > > Protected > *.do > GET > POST > > > user > admin > > The list of security roles inside an is an *or* list, so the container is doing exactly what you told it to do -- allow anyone with either "user" or "admin" to access all "*.do" URLs. > > > > Show Status > /p/status.do > GET > POST > > > admin > > > The fact that this one is second means that it will never get used, because "/p/status.do" satisfies the matching pattern on the first test. Try reversing your constraints. Another alternative is to do some of the role-based protection on Struts actions in struts-config.xml instead, by using the "role" attribute on the element. That way, you can have just your first constraint above (the one matching "*.do") to force people to log on, and then do fine grained control at the Struts level. > > admin > > > > user > > Craig --------------------------------------------------------------------- To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org For additional commands, e-mail: struts-user-help@jakarta.apache.org