Return-Path: 
 <users-return-198437-apmail-tomcat-users-archive=tomcat.apache.org@tomcat.apache.org>
Delivered-To: apmail-tomcat-users-archive@www.apache.org
Received: (qmail 23559 invoked from network); 24 Jun 2009 11:02:53 -0000
Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.3)
  by minotaur.apache.org with SMTP; 24 Jun 2009 11:02:53 -0000
Received: (qmail 63234 invoked by uid 500); 24 Jun 2009 11:03:00 -0000
Delivered-To: apmail-tomcat-users-archive@tomcat.apache.org
Received: (qmail 63161 invoked by uid 500); 24 Jun 2009 11:03:00 -0000
Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:users-help@tomcat.apache.org>
List-Unsubscribe: <mailto:users-unsubscribe@tomcat.apache.org>
List-Post: <mailto:users@tomcat.apache.org>
List-Id: <users.tomcat.apache.org>
Reply-To: "Tomcat Users List" <users@tomcat.apache.org>
Delivered-To: mailing list users@tomcat.apache.org
Received: (qmail 63150 invoked by uid 99); 24 Jun 2009 11:03:00 -0000
Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136)
    by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 24 Jun 2009 11:03:00 +0000
X-ASF-Spam-Status: No, hits=-2000.0 required=10.0
	tests=ALL_TRUSTED
X-Spam-Check-By: apache.org
Received: from [140.211.11.9] (HELO minotaur.apache.org) (140.211.11.9)
    by apache.org (qpsmtpd/0.29) with SMTP; Wed, 24 Jun 2009 11:02:58 +0000
Received: (qmail 23476 invoked from network); 24 Jun 2009 11:02:26 -0000
Received: from localhost (HELO ?127.0.0.1?) (127.0.0.1)
  by localhost with SMTP; 24 Jun 2009 11:02:26 -0000
Message-ID: <4A4207CD.10709@apache.org>
Date: Wed, 24 Jun 2009 07:02:37 -0400
From: Tim Funk <funkman@apache.org>
User-Agent: Thunderbird 2.0.0.22 (Windows/20090605)
MIME-Version: 1.0
To: Tomcat Users List <users@tomcat.apache.org>
Subject: Re: Help: auth-constraint with Tomcat 6
References: <529a33110906232038n101d58f3v2babf4ab6d76e905@mail.gmail.com>
In-Reply-To: <529a33110906232038n101d58f3v2babf4ab6d76e905@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Virus-Checked: Checked by ClamAV on apache.org

Do you really want to have allow different passwords for the same user 
id? Sounds dangerous.

For different access control restrictions you needs to set up various 
roles, which are names chosen by you. Which can be something like
- reader, writer
- admin, superuser, user
- it, sales, marketing, hr

Then your role names * would be gone and you would need a 
<security-constraint> for each resource category you need to protect. 
(Google for more details on <security-constraint> for more help on that)

-Tim

Clement Chong wrote:
> Hi tomcat users,
> 
> I am using Tomcat 6.0.20 and have successfully implemented a lockout realm
> with nested JDBCRealm and JNDIRealm. The security constraint has also been
> setup in my application WEB-INF/web.xml file:
> 
> <auth-constraint>
>       <!-- Anyone with one of the listed roles may access this area -->
>       <role-name>*</role-name>
> </auth-constraint>
> 
> User is now authenticated via JDBCRealm followed by JNDIRealm and would be
> able to access protected pages with any role.
> 
> The question I have is how can I deny a group of users with a particular
> role to all protected pages even if they can provide correct combination of
> username/password?
> 
> Would it also be possible to change the behavior of the
> combinedRealm/LockoutRealm such that if username is found in prior realm and
> password is incorrect, then it skips the other realms? It only look into the
> other realms if username is not found in prior realms.


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org