tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Craig R. McClanahan" <>
Subject Re: Security role name warning
Date Sat, 07 Dec 2002 02:35:02 GMT

On Fri, 6 Dec 2002, Peter Lee wrote:

> Date: Fri, 06 Dec 2002 03:52:38 -0800
> From: Peter Lee <>
> Reply-To: Tomcat Users List <>,
> To:
> Subject: Security role name warning
> I got the following warning. what does it really mean?
> WARNING: Security role name specialrole used in an <auth-constraint> without being
defined in a <security-
> role>

It means what it says :-).

According to the servlet specification, you are supposed to use a
<security-role> element in web.xml to define *all* of the role names that
your application uses, either directly in a security constraint or
dynamically as an argument to request.isUserInRole().  Tomcat has never
enforced this constraint, although some J2EE app servers do.  This warning
is there to nudge you towards making your web.xml file more compliant with
the standards, without causing apps that don't do it to fail.


To unsubscribe, e-mail:   <>
For additional commands, e-mail: <>

View raw message