tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tim Funk <>
Subject Re: Help: auth-constraint with Tomcat 6
Date Wed, 24 Jun 2009 11:02:37 GMT
Do you really want to have allow different passwords for the same user 
id? Sounds dangerous.

For different access control restrictions you needs to set up various 
roles, which are names chosen by you. Which can be something like
- reader, writer
- admin, superuser, user
- it, sales, marketing, hr

Then your role names * would be gone and you would need a 
<security-constraint> for each resource category you need to protect. 
(Google for more details on <security-constraint> for more help on that)


Clement Chong wrote:
> Hi tomcat users,
> I am using Tomcat 6.0.20 and have successfully implemented a lockout realm
> with nested JDBCRealm and JNDIRealm. The security constraint has also been
> setup in my application WEB-INF/web.xml file:
> <auth-constraint>
>       <!-- Anyone with one of the listed roles may access this area -->
>       <role-name>*</role-name>
> </auth-constraint>
> User is now authenticated via JDBCRealm followed by JNDIRealm and would be
> able to access protected pages with any role.
> The question I have is how can I deny a group of users with a particular
> role to all protected pages even if they can provide correct combination of
> username/password?
> Would it also be possible to change the behavior of the
> combinedRealm/LockoutRealm such that if username is found in prior realm and
> password is incorrect, then it skips the other realms? It only look into the
> other realms if username is not found in prior realms.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message