Link to home
Start Free TrialLog in
Avatar of paskal
paskalFlag for Netherlands

asked on

Setting up security-constraints in Tomcat

Hi,

I've got a question about the configuration of Tomcat's Realm and especially about the security-constraint. I've setup 4 roles and I want to give each role to it's own web-resource-collection. The problem is that my current configuration is not working. It seems only the security constraint I've defined first is read and the rest is ignored. Probably I've used a wrong syntax but I cannot find the way that should be correct, so I hope one of you can help me out.
Here is the part of my web.xml:

<security-constraint>
    <web-resource-collection>
        <web-resource-name>Reporting authorisation</web-resource-name>
        <url-pattern>/view/*</url-pattern>
        <http-method>GET</http-method>
        <http-method>POST</http-method>
    </web-resource-collection>
    <auth-constraint>
       <description>These are the roles who have access to those servlets</description>
       <role-name>VIEWER</role-name>
    </auth-constraint>
 </security-constraint>

<security-constraint>

    <web-resource-collection>
        <web-resource-name>Reporting authorisation</web-resource-name>
        <url-pattern>/report/*</url-pattern>
        <url-pattern>/view/*</url-pattern>
        <url-pattern>/admin/*</url-pattern>
        <http-method>GET</http-method>
        <http-method>POST</http-method>
    </web-resource-collection>
    <auth-constraint>
      <description>These are the roles who have access to all servlets</description>
        <role-name>SYSADMIN</role-name>
    </auth-constraint>
 </security-constraint>

<security-constraint>
    <web-resource-collection>
        <web-resource-name>Reporting authorisation</web-resource-name>
        <url-pattern>/report/*</url-pattern>
        <url-pattern>/view/*</url-pattern>
        <http-method>GET</http-method>
        <http-method>POST</http-method>
    </web-resource-collection>
    <auth-constraint>
      <description>These are the roles who have access to those servlets</description>
        <role-name>DEVELOPER</role-name>
        <role-name>TESTER</role-name>
    </auth-constraint>
 </security-constraint>


 <login-config>
    <auth-method>BASIC</auth-method>
 </login-config>
 
    <security-role>
      <description>Admin user</description>
      <role-name>SYSADMIN</role-name>
    </security-role>
   
    <security-role>
      <description>Normal user</description>
      <role-name>DATAMAIN</role-name>
    </security-role>
   
TIA!
Avatar of paskal
paskal
Flag of Netherlands image

ASKER

This question can be closed. I've found the answer myself. You should have one url pattern linked with one or more roles and not have the same url-pattern used more then once.

<security-constraint>
   <web-resource-collection>
       <web-resource-name>Reporting authorisation</web-resource-name>
       <url-pattern>/view/*</url-pattern>
       <http-method>GET</http-method>
       <http-method>POST</http-method>
   </web-resource-collection>
   <auth-constraint>
      <description>These are the roles who have access to those servlets</description>
      <role-name>VIEWER</role-name>
      <role-name>SYSADMIN</role-name>
   </auth-constraint>
</security-constraint>

<security-constraint>

   <web-resource-collection>
       <web-resource-name>Reporting authorisation</web-resource-name>
       <url-pattern>/report/*</url-pattern>
       <url-pattern>/admin/*</url-pattern>
       <http-method>GET</http-method>
       <http-method>POST</http-method>
   </web-resource-collection>
   <auth-constraint>
     <description>These are the roles who have access to all servlets</description>
       <role-name>SYSADMIN</role-name>
   </auth-constraint>
</security-constraint>



ASKER CERTIFIED SOLUTION
Avatar of modulo
modulo
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial