?
Solved

Setting up security-constraints in Tomcat

Posted on 2003-03-20
2
Medium Priority
?
319 Views
Last Modified: 2010-04-20
Hi,

I've got a question about the configuration of Tomcat's Realm and especially about the security-constraint. I've setup 4 roles and I want to give each role to it's own web-resource-collection. The problem is that my current configuration is not working. It seems only the security constraint I've defined first is read and the rest is ignored. Probably I've used a wrong syntax but I cannot find the way that should be correct, so I hope one of you can help me out.
Here is the part of my web.xml:

<security-constraint>
    <web-resource-collection>
        <web-resource-name>Reporting authorisation</web-resource-name>
        <url-pattern>/view/*</url-pattern>
        <http-method>GET</http-method>
        <http-method>POST</http-method>
    </web-resource-collection>
    <auth-constraint>
       <description>These are the roles who have access to those servlets</description>
       <role-name>VIEWER</role-name>
    </auth-constraint>
 </security-constraint>

<security-constraint>

    <web-resource-collection>
        <web-resource-name>Reporting authorisation</web-resource-name>
        <url-pattern>/report/*</url-pattern>
        <url-pattern>/view/*</url-pattern>
        <url-pattern>/admin/*</url-pattern>
        <http-method>GET</http-method>
        <http-method>POST</http-method>
    </web-resource-collection>
    <auth-constraint>
      <description>These are the roles who have access to all servlets</description>
        <role-name>SYSADMIN</role-name>
    </auth-constraint>
 </security-constraint>

<security-constraint>
    <web-resource-collection>
        <web-resource-name>Reporting authorisation</web-resource-name>
        <url-pattern>/report/*</url-pattern>
        <url-pattern>/view/*</url-pattern>
        <http-method>GET</http-method>
        <http-method>POST</http-method>
    </web-resource-collection>
    <auth-constraint>
      <description>These are the roles who have access to those servlets</description>
        <role-name>DEVELOPER</role-name>
        <role-name>TESTER</role-name>
    </auth-constraint>
 </security-constraint>


 <login-config>
    <auth-method>BASIC</auth-method>
 </login-config>
 
    <security-role>
      <description>Admin user</description>
      <role-name>SYSADMIN</role-name>
    </security-role>
   
    <security-role>
      <description>Normal user</description>
      <role-name>DATAMAIN</role-name>
    </security-role>
   
TIA!
0
Comment
Question by:paskal
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 3

Author Comment

by:paskal
ID: 8339306
This question can be closed. I've found the answer myself. You should have one url pattern linked with one or more roles and not have the same url-pattern used more then once.

<security-constraint>
   <web-resource-collection>
       <web-resource-name>Reporting authorisation</web-resource-name>
       <url-pattern>/view/*</url-pattern>
       <http-method>GET</http-method>
       <http-method>POST</http-method>
   </web-resource-collection>
   <auth-constraint>
      <description>These are the roles who have access to those servlets</description>
      <role-name>VIEWER</role-name>
      <role-name>SYSADMIN</role-name>
   </auth-constraint>
</security-constraint>

<security-constraint>

   <web-resource-collection>
       <web-resource-name>Reporting authorisation</web-resource-name>
       <url-pattern>/report/*</url-pattern>
       <url-pattern>/admin/*</url-pattern>
       <http-method>GET</http-method>
       <http-method>POST</http-method>
   </web-resource-collection>
   <auth-constraint>
     <description>These are the roles who have access to all servlets</description>
       <role-name>SYSADMIN</role-name>
   </auth-constraint>
</security-constraint>



0
 

Accepted Solution

by:
modulo earned 0 total points
ID: 8422100
PAQ'd and points refunded

modulo

Community Support Moderator
Experts Exchange
0

Featured Post

Manage your data center from practically anywhere

The KN8164V features HD resolution of 1920 x 1200, FIPS 140-2 with level 1 security standards and virtual media transmissions at twice the speed. Built for reliability, the KN series provides local console and remote over IP access, ensuring 24/7 availability to all servers.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

One of the typical problems I have experienced is when you have to move a web server from one hosting site to another. You normally prepare all on the new host, transfer the site, change DNS and cross your fingers hoping all will be ok on new server…
When it comes to showing a 404 error page to your visitors, you do not want that generic page to show, and you especially do not want your hosting provider’s ad error page to show either. In this article, I will show you how to enable the custom 40…
NetCrunch network monitor is a highly extensive platform for network monitoring and alert generation. In this video you'll see a live demo of NetCrunch with most notable features explained in a walk-through manner. You'll also get to know the philos…
In this video, Percona Solutions Engineer Barrett Chambers discusses some of the basic syntax differences between MySQL and MongoDB. To learn more check out our webinar on MongoDB administration for MySQL DBA: https://www.percona.com/resources/we…
Suggested Courses

764 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question