tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Craig R. McClanahan" <>
Subject Re: role-based security how to?
Date Wed, 13 Dec 2000 19:37:15 GMT
Mike La Budde wrote:

> I'm a bit at a loss as to how I'm supposed to configure the role-based
> security in my webapp's web.xml file.
> Consider the following scenario for my webapp:
> area                            roles
> /pages/customers/*              sales,admin
> /pages/orders/*         sales,clerks,admin
> /pages/products/*               clerks,admin

One thing to remember is that you can list more than one <role-name> inside an
<auth-constraint>.  Therefore, I would suggst making a separate security
constraint for each different set of roles.  For example, the entry for
"/pages/products/*" would look like this:

            <web-resource-name>Product Info</web-resource-name>

You would have a similar constraint for the other two protected areas.

(Note - the <web-resource-name> element is required by the DTD. Tomcat 3.x does
not check for this, but you will get bit if you move to a different servlet
container later.)

Craig McClanahan

View raw message