• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 322
  • Last Modified:

Setting up security-constraints in Tomcat

Hi,

I've got a question about the configuration of Tomcat's Realm and especially about the security-constraint. I've setup 4 roles and I want to give each role to it's own web-resource-collection. The problem is that my current configuration is not working. It seems only the security constraint I've defined first is read and the rest is ignored. Probably I've used a wrong syntax but I cannot find the way that should be correct, so I hope one of you can help me out.
Here is the part of my web.xml:

<security-constraint>
    <web-resource-collection>
        <web-resource-name>Reporting authorisation</web-resource-name>
        <url-pattern>/view/*</url-pattern>
        <http-method>GET</http-method>
        <http-method>POST</http-method>
    </web-resource-collection>
    <auth-constraint>
       <description>These are the roles who have access to those servlets</description>
       <role-name>VIEWER</role-name>
    </auth-constraint>
 </security-constraint>

<security-constraint>

    <web-resource-collection>
        <web-resource-name>Reporting authorisation</web-resource-name>
        <url-pattern>/report/*</url-pattern>
        <url-pattern>/view/*</url-pattern>
        <url-pattern>/admin/*</url-pattern>
        <http-method>GET</http-method>
        <http-method>POST</http-method>
    </web-resource-collection>
    <auth-constraint>
      <description>These are the roles who have access to all servlets</description>
        <role-name>SYSADMIN</role-name>
    </auth-constraint>
 </security-constraint>

<security-constraint>
    <web-resource-collection>
        <web-resource-name>Reporting authorisation</web-resource-name>
        <url-pattern>/report/*</url-pattern>
        <url-pattern>/view/*</url-pattern>
        <http-method>GET</http-method>
        <http-method>POST</http-method>
    </web-resource-collection>
    <auth-constraint>
      <description>These are the roles who have access to those servlets</description>
        <role-name>DEVELOPER</role-name>
        <role-name>TESTER</role-name>
    </auth-constraint>
 </security-constraint>


 <login-config>
    <auth-method>BASIC</auth-method>
 </login-config>
 
    <security-role>
      <description>Admin user</description>
      <role-name>SYSADMIN</role-name>
    </security-role>
   
    <security-role>
      <description>Normal user</description>
      <role-name>DATAMAIN</role-name>
    </security-role>
   
TIA!
0
paskal
Asked:
paskal
1 Solution
 
paskalAuthor Commented:
This question can be closed. I've found the answer myself. You should have one url pattern linked with one or more roles and not have the same url-pattern used more then once.

<security-constraint>
   <web-resource-collection>
       <web-resource-name>Reporting authorisation</web-resource-name>
       <url-pattern>/view/*</url-pattern>
       <http-method>GET</http-method>
       <http-method>POST</http-method>
   </web-resource-collection>
   <auth-constraint>
      <description>These are the roles who have access to those servlets</description>
      <role-name>VIEWER</role-name>
      <role-name>SYSADMIN</role-name>
   </auth-constraint>
</security-constraint>

<security-constraint>

   <web-resource-collection>
       <web-resource-name>Reporting authorisation</web-resource-name>
       <url-pattern>/report/*</url-pattern>
       <url-pattern>/admin/*</url-pattern>
       <http-method>GET</http-method>
       <http-method>POST</http-method>
   </web-resource-collection>
   <auth-constraint>
     <description>These are the roles who have access to all servlets</description>
       <role-name>SYSADMIN</role-name>
   </auth-constraint>
</security-constraint>



0
 
moduloCommented:
PAQ'd and points refunded

modulo

Community Support Moderator
Experts Exchange
0

Featured Post

[Webinar On Demand] Database Backup and Recovery

Does your company store data on premises, off site, in the cloud, or a combination of these? If you answered “yes”, you need a data backup recovery plan that fits each and every platform. Watch now as as Percona teaches us how to build agile data backup recovery plan.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now