tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Caldarale, Charles R" <Chuck.Caldar...@unisys.com>
Subject RE: Authentication without Authorization ( JNDI Realm )
Date Wed, 02 Dec 2009 22:15:42 GMT
> From: Christopher Schultz [mailto:chris@christopherschultz.net]
> Subject: Re: Authentication without Authorization ( JNDI Realm )
> 
> Technically speaking, this will require authentication but then let
> anyone holding any role defined in web.xml to access any page on your
> site.

But the valid roles still have to be listed in web.xml to be compliant with the spec.

> Practically speaking, you don't even need to define the roles in
> web.xml because (last time I checked), Tomcat treats '*' as
> "authenticated, regardless of roles".

That was a bug, now fixed:
http://marc.info/?l=tomcat-user&m=123568422715010&w=2

Note that the spec states that "*" means any defined role, not just any role:

"The special role name “*” is a shorthand for all role names defined in the deployment
descriptor."

 - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus
for use only by the intended recipient. If you received this in error, please contact the
sender and delete the e-mail and its attachments from all computers.

Mime
View raw message