tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Craig R. McClanahan" <Craig.McClana...@eng.sun.com>
Subject Re: role-based security how to?
Date Wed, 13 Dec 2000 19:37:15 GMT
Mike La Budde wrote:

> I'm a bit at a loss as to how I'm supposed to configure the role-based
> security in my webapp's web.xml file.
>
> Consider the following scenario for my webapp:
>
> area                            roles
> /pages/customers/*              sales,admin
> /pages/orders/*         sales,clerks,admin
> /pages/products/*               clerks,admin
>

One thing to remember is that you can list more than one <role-name> inside an
<auth-constraint>.  Therefore, I would suggst making a separate security
constraint for each different set of roles.  For example, the entry for
"/pages/products/*" would look like this:

    <security-constraint>
        <web-resource-collection>
            <web-resource-name>Product Info</web-resource-name>
            <url-pattern>/pages/products/*</url-pattern>
        </web-resource-collection>
        <auth-constraint>
            <role-name>clerks</role-name>
            <role-name>admin</role-name>
        </auth-constraint>
    </security-constraint>

You would have a similar constraint for the other two protected areas.

(Note - the <web-resource-name> element is required by the DTD. Tomcat 3.x does
not check for this, but you will get bit if you move to a different servlet
container later.)

Craig McClanahan



Mime
View raw message