Return-Path: <mike.labudde@irista.com>
Mailing-List: contact tomcat-user-help@jakarta.apache.org; run by ezmlm
Delivered-To: mailing list tomcat-user@jakarta.apache.org
Received: (qmail 5565 invoked from network); 13 Dec 2000 21:23:36 -0000
Received: from gatekeeper.hksystems.com (HELO hksystems.com)
 (root@205.160.128.130)
  by locus.apache.org with SMTP; 13 Dec 2000 21:23:36 -0000
Received: from mkefil01.mke.hksystems.com (mkefil01.mke.hksystems.com
 [10.1.11.1]) by hksystems.com with ESMTP (8.9.3/8.7.1) id PAA14698 for
 <tomcat-user@jakarta.apache.org>; Wed, 13 Dec 2000 15:31:31 -0600 (CST)
Received: from mke01431.irista.com ([10.1.122.221])
          by mkefil01.mke.hksystems.com (Netscape Messaging Server 3.52)
           with ESMTP id AAA67AA for <tomcat-user@jakarta.apache.org>;
          Wed, 13 Dec 2000 15:23:26 -0600
Message-Id: <5.0.0.25.2.20001213143142.0232ed90@mail.mke.hksystems.com>
X-Sender: labudde@mail.mke.hksystems.com
X-Mailer: QUALCOMM Windows Eudora Version 5.0
Date: Wed, 13 Dec 2000 15:22:57 -0600
To: tomcat-user@jakarta.apache.org
From: Mike La Budde <mike.labudde@irista.com>
Subject: Re: role-based security how to?
In-Reply-To: <3A37CFEB.5942FA10@eng.sun.com>
References: <5.0.0.25.2.20001213085511.023941a0@mail.mke.hksystems.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
X-Spam-Rating: locus.apache.org 1.6.2 0/1000/N

Thanks Craig!

I had tried defining several security-constraints like this:

     <security-constraint>
         <web-resource-collection>
             <web-resource-name>customers</web-resource-name>
             <url-pattern>/pages/customers/*</url-pattern>
         </web-resource-collection>
         <auth-constraint>
             <role-name>sales</role-name>
             <role-name>admin</role-name>
         </auth-constraint>
     </security-constraint>

     <security-constraint>
         <web-resource-collection>
             <web-resource-name>orders</web-resource-name>
             <url-pattern>/pages/orders/*</url-pattern>
         </web-resource-collection>
         <auth-constraint>
             <role-name>sales</role-name>
             <role-name>clerks</role-name>
             <role-name>admin</role-name>
         </auth-constraint>
     </security-constraint>

     <security-constraint>
         <web-resource-collection>
             <web-resource-name>products</web-resource-name>
             <url-pattern>/pages/products/*</url-pattern>
         </web-resource-collection>
         <auth-constraint>
             <role-name>clerks</role-name>
             <role-name>admin</role-name>
         </auth-constraint>
     </security-constraint>

However, it blew up Tomcat and closed my console window! (I'm running under 
Win NT 4.0). So I just figured that I was specifying these wrong.

Turns out the above is correct and I had introduced a different problem, 
which caused it to blow up....

Mike



At 12/13/2000 11:37 AM -0800, you wrote:
>Mike La Budde wrote:
>
> > I'm a bit at a loss as to how I'm supposed to configure the role-based
> > security in my webapp's web.xml file.
> >
> > Consider the following scenario for my webapp:
> >
> > area                            roles
> > /pages/customers/*              sales,admin
> > /pages/orders/*         sales,clerks,admin
> > /pages/products/*               clerks,admin
> >
>
>One thing to remember is that you can list more than one <role-name> inside an
><auth-constraint>.  Therefore, I would suggst making a separate security
>constraint for each different set of roles.  For example, the entry for
>"/pages/products/*" would look like this:
>
>     <security-constraint>
>         <web-resource-collection>
>             <web-resource-name>Product Info</web-resource-name>
>             <url-pattern>/pages/products/*</url-pattern>
>         </web-resource-collection>
>         <auth-constraint>
>             <role-name>clerks</role-name>
>             <role-name>admin</role-name>
>         </auth-constraint>
>     </security-constraint>
>
>You would have a similar constraint for the other two protected areas.
>
>(Note - the <web-resource-name> element is required by the DTD. Tomcat 3.x 
>does
>not check for this, but you will get bit if you move to a different servlet
>container later.)
>
>Craig McClanahan