roles
A comma-separated list of role names which will be granted access to the redirector. If this attribute is ommitted, access to the redirector will not be constrained. Unless the roles are already defined in the deployment descriptor, they will be added automatically.
So maybe the documentation should be changed?
Here's the relevant section from my web.xml:
<!-- Restrict all users from accessing *.do -->
<security-constraint>
<web-resource-collection>
<web-resource-name>My Application</web-resource-name>
<description>Require users to authenticate</description>
<url-pattern>*.do</url-pattern>
<http-method>POST</http-method>
<http-method>GET</http-method>
</web-resource-collection>
<auth-constraint>
<description>Define who can access this url-pattern</description>
<role-name>admin</role-name>
<role-name>user</role-name>
</auth-constraint>
<user-data-constraint>
<description>
Encryption is not required for the application in general.
</description>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<!-- Login Configuration -->
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/security/login.jsp</form-login-page>
<form-error-page>/security/login.jsp?error=true</form-error-page>
</form-login-config>
</login-config>
<!-- The admin role -->
<security-role>
<description>Administrator role (can edit Users)</description>
<role-name>admin</role-name>
</security-role>
<!-- The tomcat role -->
<security-role>
<description>Default Role for All Users</description>
<role-name>user</role-name>
</security-role>Thanks,
Matt
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
