paskal
asked on
Setting up security-constraints in Tomcat
Hi,
I've got a question about the configuration of Tomcat's Realm and especially about the security-constraint. I've setup 4 roles and I want to give each role to it's own web-resource-collection. The problem is that my current configuration is not working. It seems only the security constraint I've defined first is read and the rest is ignored. Probably I've used a wrong syntax but I cannot find the way that should be correct, so I hope one of you can help me out.
Here is the part of my web.xml:
<security-constraint>
<web-resource-collection>
<web-resource-name>Reporti ng authorisation</web-resourc e-name>
<url-pattern>/view/*</url- pattern>
<http-method>GET</http-met hod>
<http-method>POST</http-me thod>
</web-resource-collection>
<auth-constraint>
<description>These are the roles who have access to those servlets</description>
<role-name>VIEWER</role-na me>
</auth-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>Reporti ng authorisation</web-resourc e-name>
<url-pattern>/report/*</ur l-pattern>
<url-pattern>/view/*</url- pattern>
<url-pattern>/admin/*</url -pattern>
<http-method>GET</http-met hod>
<http-method>POST</http-me thod>
</web-resource-collection>
<auth-constraint>
<description>These are the roles who have access to all servlets</description>
<role-name>SYSADMIN</role- name>
</auth-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>Reporti ng authorisation</web-resourc e-name>
<url-pattern>/report/*</ur l-pattern>
<url-pattern>/view/*</url- pattern>
<http-method>GET</http-met hod>
<http-method>POST</http-me thod>
</web-resource-collection>
<auth-constraint>
<description>These are the roles who have access to those servlets</description>
<role-name>DEVELOPER</role -name>
<role-name>TESTER</role-na me>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-m ethod>
</login-config>
<security-role>
<description>Admin user</description>
<role-name>SYSADMIN</role- name>
</security-role>
<security-role>
<description>Normal user</description>
<role-name>DATAMAIN</role- name>
</security-role>
TIA!
I've got a question about the configuration of Tomcat's Realm and especially about the security-constraint. I've setup 4 roles and I want to give each role to it's own web-resource-collection. The problem is that my current configuration is not working. It seems only the security constraint I've defined first is read and the rest is ignored. Probably I've used a wrong syntax but I cannot find the way that should be correct, so I hope one of you can help me out.
Here is the part of my web.xml:
<security-constraint>
<web-resource-collection>
<web-resource-name>Reporti
<url-pattern>/view/*</url-
<http-method>GET</http-met
<http-method>POST</http-me
</web-resource-collection>
<auth-constraint>
<description>These are the roles who have access to those servlets</description>
<role-name>VIEWER</role-na
</auth-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>Reporti
<url-pattern>/report/*</ur
<url-pattern>/view/*</url-
<url-pattern>/admin/*</url
<http-method>GET</http-met
<http-method>POST</http-me
</web-resource-collection>
<auth-constraint>
<description>These are the roles who have access to all servlets</description>
<role-name>SYSADMIN</role-
</auth-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>Reporti
<url-pattern>/report/*</ur
<url-pattern>/view/*</url-
<http-method>GET</http-met
<http-method>POST</http-me
</web-resource-collection>
<auth-constraint>
<description>These are the roles who have access to those servlets</description>
<role-name>DEVELOPER</role
<role-name>TESTER</role-na
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-m
</login-config>
<security-role>
<description>Admin user</description>
<role-name>SYSADMIN</role-
</security-role>
<security-role>
<description>Normal user</description>
<role-name>DATAMAIN</role-
</security-role>
TIA!
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
<security-constraint>
<web-resource-collection>
<web-resource-name>Reporti
<url-pattern>/view/*</url-
<http-method>GET</http-met
<http-method>POST</http-me
</web-resource-collection>
<auth-constraint>
<description>These are the roles who have access to those servlets</description>
<role-name>VIEWER</role-na
<role-name>SYSADMIN</role-
</auth-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>Reporti
<url-pattern>/report/*</ur
<url-pattern>/admin/*</url
<http-method>GET</http-met
<http-method>POST</http-me
</web-resource-collection>
<auth-constraint>
<description>These are the roles who have access to all servlets</description>
<role-name>SYSADMIN</role-
</auth-constraint>
</security-constraint>