tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Dennis van den Berg" <Dennis.vandenB...@triodos.nl>
Subject security-constraints
Date Tue, 11 Jun 2002 11:02:46 GMT
Hi all,

According to the servlet 2.3 specs, the longest path-prefix is used when determining which
servlet-mapping or which security-constraint is to be used.

However when I specify the following security-constraint's:

  <security-constraint>
    <web-resource-collection>
      <web-resource-name>Collection1</web-resource-name>
      <url-pattern>/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
      <role-name>role1</role-name>
    </auth-constraint>
    <user-data-constraint>
      <transport-guarantee>NONE</transport-guarantee>
    </user-data-constraint>
  </security-constraint>
  <security-constraint>
    <web-resource-collection>
      <web-resource-name>Collection2</web-resource-name>
      <url-pattern>/view/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
      <role-name>role2</role-name>
    </auth-constraint>
    <user-data-constraint>
      <transport-guarantee>NONE</transport-guarantee>
    </user-data-constraint>
  </security-constraint>

A user which is in role2 is denied access to url's which start with /view/*, and it seems
that the order in which I specify the security-constraint's mathers?

Am I missing something?

Thanks,


--
To unsubscribe, e-mail:   <mailto:tomcat-user-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:tomcat-user-help@jakarta.apache.org>


Mime
View raw message