tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Clement Chong <>
Subject Re: Help: auth-constraint with Tomcat 6
Date Wed, 24 Jun 2009 15:12:35 GMT
Hi Tim,

Basically the first realm contains list of users we want to deny access. The
password would be dynamic, making it difficult to get through. Well, maybe I
should really consider working with specific roles. That is, grant users
with roles that would allow them access. Then I would probably just need a
single realm for authentication.

However, this would mean almost all users require such a role granted except
for some whom we like deny access. Then every new users would also probably
need granted the role. A little extra work there, besides working with IT to
get the new role setup.. A black list would work better than a white list in
this case.


On Wed, Jun 24, 2009 at 7:02 PM, Tim Funk <> wrote:

> Do you really want to have allow different passwords for the same user id?
> Sounds dangerous.
> For different access control restrictions you needs to set up various
> roles, which are names chosen by you. Which can be something like
> - reader, writer
> - admin, superuser, user
> - it, sales, marketing, hr
> Then your role names * would be gone and you would need a
> <security-constraint> for each resource category you need to protect.
> (Google for more details on <security-constraint> for more help on that)
> -Tim
> Clement Chong wrote:
>> Hi tomcat users,
>> I am using Tomcat 6.0.20 and have successfully implemented a lockout realm
>> with nested JDBCRealm and JNDIRealm. The security constraint has also been
>> setup in my application WEB-INF/web.xml file:
>> <auth-constraint>
>>      <!-- Anyone with one of the listed roles may access this area -->
>>      <role-name>*</role-name>
>> </auth-constraint>
>> User is now authenticated via JDBCRealm followed by JNDIRealm and would be
>> able to access protected pages with any role.
>> The question I have is how can I deny a group of users with a particular
>> role to all protected pages even if they can provide correct combination
>> of
>> username/password?
>> Would it also be possible to change the behavior of the
>> combinedRealm/LockoutRealm such that if username is found in prior realm
>> and
>> password is incorrect, then it skips the other realms? It only look into
>> the
>> other realms if username is not found in prior realms.
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> For additional commands, e-mail:

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message