I have two roles in my application - user and admin. If I have
roles="user,admin" on my <servletredirector> in my <cactifywar> task,
everything works as expected. If I remove them, I expect the ones in
my web.xml file to be used - only because the documentation says so:
roles
A comma-separated list of role names which will be granted access to
the redirector. If this attribute is ommitted, access to the redirector
will not be constrained. Unless the roles are already defined in the
deployment descriptor, they will be added automatically.
So maybe the documentation should be changed?
Here's the relevant section from my web.xml:
<!-- Restrict all users from accessing *.do -->
<security-constraint>
<web-resource-collection>
<web-resource-name>My Application</web-resource-name>
<description>Require users to authenticate</description>
<url-pattern>*.do</url-pattern>
<http-method>POST</http-method>
<http-method>GET</http-method>
</web-resource-collection>
<auth-constraint>
<description>Define who can access this
url-pattern</description>
<role-name>admin</role-name>
<role-name>user</role-name>
</auth-constraint>
<user-data-constraint>
<description>
Encryption is not required for the application in
general.
</description>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<!-- Login Configuration -->
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/security/login.jsp</form-login-page>
<form-error-page>/security/login.jsp?error=true</form-error-page>
</form-login-config>
</login-config>
<!-- The admin role -->
<security-role>
<description>Administrator role (can edit Users)</description>
<role-name>admin</role-name>
</security-role>
<!-- The tomcat role -->
<security-role>
<description>Default Role for All Users</description>
<role-name>user</role-name>
</security-role>
Thanks,
Matt
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]