tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Hans Bergsten <h...@gefionsoftware.com>
Subject Re: security-constraint
Date Sat, 02 Sep 2000 22:22:11 GMT
Jon Stevens wrote:
> 
> on 9/2/2000 2:31 PM, "Hans Bergsten" <hans@gefionsoftware.com> wrote:
> 
> > You don't specify who has access. Try adding an <auth-constraint>
> > element as well. Also, I'm not sure <transport-guarantee> is
> > implemented. What you specify here is that the resources must only
> > be made available if an HTTPS connection is used. Was that the
> > intention?
> 
> Can I see a working example please? Reading and trying to figure out that
> DTD sucks. I can't tell what goes where or what does what and the
> documentation comments in it don't make much sense at all. :-(

This is an example that works in TC 3.2 Beta 3:

  <security-constraint>
    <web-resource-collection>
      <web-resource-name>search</web-resource-name>
      <url-pattern>/ch10/search/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
      <role-name>admin</role-name>
      <role-name>user</role-name>
    </auth-constraint>
  </security-constraint>

  <login-config>
    <auth-method>BASIC</auth-method>
    <realm-name>ORA Examples</realm-name>
  </login-config>

  <security-role>admin</security-role>
  <security-role>user</security-role>

It used to be possible to use an empty <auth-constraint> element in TC 3.1
to make it impossible for anyone to access a resource (e.g. for resources
that should only be accessed through a servlet using RD.forward()). In 
TC 3.2, an empty element seems to make the resources accessible to anyone 
without authentication. That looks like a bug to me ;-)

Hans
-- 
Hans Bergsten		hans@gefionsoftware.com
Gefion Software		http://www.gefionsoftware.com

Mime
View raw message