tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: Auth-constraint with Tomcat 6
Date Wed, 24 Jun 2009 14:45:09 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Clement,

On 6/24/2009 2:57 AM, Clement Chong wrote:
> <auth-constraint>
>       <!-- Anyone with one of the listed roles may access this area -->
>       <role-name>*</role-name>
> </auth-constraint>
> 
> User is now authenticated via JDBCRealm followed by JNDIRealm and
> would be able to access protected pages with any role.
> 
> The question I have is how can I deny a group of users with a
> particular role to all protected pages even if they can provide
> correct combination of username/password?

Instead of specifying '*' as the allowed role (which means "any defined
role"), you should specify all roles that /should/ have access and omit
those that shouldn't.

You could also remove your <auth-constraint> and implement your own
authorization in a filter.

> Would it also be possible to change the behavior of the
> combinedRealm/LockoutRealm such that if username is found in prior
> realm and password is incorrect, then it skips the other realms? It
> only look into the other realms if username is not found in prior
> realms.

I'm sure you could do that: you're the author of that realm!

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkpCO/UACgkQ9CaO5/Lv0PAvhQCeKFfpRHbwpnqVywYeQqjZqs5f
ksAAnRpi75K66uNf422xWRIBCOdWoGSL
=fYkB
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message