Return-Path: <Craig.McClanahan@eng.sun.com>
Mailing-List: contact tomcat-user-help@jakarta.apache.org; run by ezmlm
Delivered-To: mailing list tomcat-user@jakarta.apache.org
Received: (qmail 81850 invoked from network); 13 Dec 2000 19:35:46 -0000
Received: from lukla.sun.com (192.18.98.31)
  by locus.apache.org with SMTP; 13 Dec 2000 19:35:46 -0000
Received: from centralmail1.Central.Sun.COM ([129.147.62.10])
	by lukla.Sun.COM (8.9.3+Sun/8.9.3) with ESMTP id MAA13587
	for <tomcat-user@jakarta.apache.org>; Wed, 13 Dec 2000 12:35:45 -0700 (MST)
Received: from esun1as-mm. (esun1as-mm.Central.Sun.COM [129.147.34.144])
	by centralmail1.Central.Sun.COM (8.9.3+Sun/8.9.3/ENSMAIL,v1.7) with SMTP id
 MAA22964
	for <tomcat-user@jakarta.apache.org>; Wed, 13 Dec 2000 12:35:45 -0700 (MST)
Received: from eng.sun.com by esun1as-mm. (SMI-8.6/SMI-SVR4)
	id MAA25103; Wed, 13 Dec 2000 12:49:43 -0700
Message-ID: <3A37CFEB.5942FA10@eng.sun.com>
Date: Wed, 13 Dec 2000 11:37:15 -0800
From: "Craig R. McClanahan" <Craig.McClanahan@eng.sun.com>
X-Mailer: Mozilla 4.76 [en]C-CCK-MCD {Sony}  (Win98; U)
X-Accept-Language: en
MIME-Version: 1.0
To: tomcat-user@jakarta.apache.org
Subject: Re: role-based security how to?
References: <5.0.0.25.2.20001213085511.023941a0@mail.mke.hksystems.com>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
X-Spam-Rating: locus.apache.org 1.6.2 0/1000/N

Mike La Budde wrote:

> I'm a bit at a loss as to how I'm supposed to configure the role-based
> security in my webapp's web.xml file.
>
> Consider the following scenario for my webapp:
>
> area                            roles
> /pages/customers/*              sales,admin
> /pages/orders/*         sales,clerks,admin
> /pages/products/*               clerks,admin
>

One thing to remember is that you can list more than one <role-name> inside an
<auth-constraint>.  Therefore, I would suggst making a separate security
constraint for each different set of roles.  For example, the entry for
"/pages/products/*" would look like this:

    <security-constraint>
        <web-resource-collection>
            <web-resource-name>Product Info</web-resource-name>
            <url-pattern>/pages/products/*</url-pattern>
        </web-resource-collection>
        <auth-constraint>
            <role-name>clerks</role-name>
            <role-name>admin</role-name>
        </auth-constraint>
    </security-constraint>

You would have a similar constraint for the other two protected areas.

(Note - the <web-resource-name> element is required by the DTD. Tomcat 3.x does
not check for this, but you will get bit if you move to a different servlet
container later.)

Craig McClanahan