tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Bill Barker" <wbar...@wilshire.com>
Subject Re: Trouble understanding security constraints
Date Fri, 10 Feb 2006 03:49:45 GMT

"Alan Chandler" <alan@chandlerfamily.org.uk> wrote in message 
news:200602090725.54761.alan@chandlerfamily.org.uk...
> On Thursday 09 February 2006 04:05, Bill Barker wrote:
>> "Alan Chandler" <alan@chandlerfamily.org.uk> wrote in message
>> news:200602082320.35930.alan@chandlerfamily.org.uk...
> ...
>> This works correctly in TC 5.x.  You need to reverse the order for TC 
>> 4.1.x
>> (this is due to a change in the respective versions of the servlet spec
>> they implement).
>>
>> > <security-constraint>
>> >    <web-resource-collection>
>> >      <web-resource-name>
>> >        Valid Users
>> >      </web-resource-name>
>> >      <url-pattern> /* </url-pattern>
>> > </web-resource-collection>
>> >    <auth-constraint>
>> > <role-name>*</role-name>
>> >    </auth-constraint>
>> > </security-constraint>
>> >
>> > <security-constraint>
>> >    <web-resource-collection>
>> >      <web-resource-name>
>> >        Site Admin
>> >      </web-resource-name>
>> >      <url-pattern> /admin/* </url-pattern>
>> > </web-resource-collection>
>> >    <auth-constraint>
>> > <role-name>admin</role-name>
>> >    </auth-constraint>
>> > </security-constraint>
>> >
> Since I am doing everything for TC 4.1.3 (Debian Stable) and just to be 
> clear,
> do you mean the following (ie swapping round the security-constraints)
>
> <security-constraint>
>    <web-resource-collection>
>      <web-resource-name>
>        Site Admin
>      </web-resource-name>
>      <url-pattern> /admin/* </url-pattern>
> </web-resource-collection>
>    <auth-constraint>
> <role-name>admin</role-name>
>    </auth-constraint>
> </security-constraint>
> <security-constraint>
>    <web-resource-collection>
>      <web-resource-name>
>        Valid Users
>      </web-resource-name>
>      <url-pattern> /* </url-pattern>
> </web-resource-collection>
>    <auth-constraint>
> <role-name>*</role-name>
>    </auth-constraint>
> </security-constraint>
>
> Otherwise thank you very much that was very clear.

Yes.  TC 4.1.x does a first-match on <security-constraint>s (since the 2.3 
servlet spec doesn't specify otherwise), so you need to have your longest 
patterns first.

> -- 
> Alan Chandler
> http://www.chandlerfamily.org.uk
> Open Source. It's the difference between trust and antitrust. 




---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message