Here is my setup... Tomcat v3.2.1
Within out Intranet webapp, I have setup a separate security 'url-pattern'
for both SALES, and MARKETING. I have assigned each 'url-pattern' an
associated 'auth-constraint'(role). When I access a SALES URL, I am taken to
the '<form-login-page>' to login , which works fine. I am able to login
correctly and then redirect to my originally requested secure SALES URL.
However, once I am in logged in to the SALES section, I try to access a
secure MARKETING URL, and am given the '<form-error-page>' as a result.
What I wanted to happen is to be prompted with the '<form-login-page>' again
so that I can login using a valid username/password associated with the
'marketing' role, not the '<form-error-page>'. To workaround this, I made a
small change to the FormAuthHandler class, to bring me back to the
'<form-login-page>' re-setting the parameter 'tomcat.auth.originalLocation'
as well. Let me know if you want to know the modifications.
What I really need is to be able to remain authenticated in the SALES
section as well as the MARKETING section. Is it inherently possible for 1
session to be authenticated to multiple url-patterns, using different
username/password? For example, referencing the config snippets below, would
it be possible for me to login to the secure SALES section using
username=sales password=sales01, and then once authenticated to the SALES
section, select a MARKETING URL and then login simultaneously to the
MARKETING secure section using username=market password=market01? What I
have found with this scenario is that I can only be authenticated to one of
the url-patterns at a time. Is there an easy way around this other than
creating a new user that has both roles? I can't really have one common
userid/password combination that has both roles because the two groups don't
want the other group accessing their private info. The only person that
should be able to access both sites with one login is the admin.
*** Snippet from web.xml ***
<security-constraint>
<web-resource-collection>
<web-resource-name>SALES</web-resource-name>
<url-pattern>/secure/sales/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>sales</role-name>
</auth-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>MARKETING</web-resource-name>
<url-pattern>/secure/marketing/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>marketing</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<realm-name>Secure</realm-name>
<form-login-config>
<form-login-page>/login/login.jsp</form-login-page>
<form-error-page>/login/login.jsp?login=false</form-error-page>
</form-login-config>
</login-config>
*** End Snippet ***
*** Snippet from tomcat-users.xml***
<!-- Users/Roles -->
<user name="sales" password="sales01" roles="sales" />
<user name="market" password="market01" roles="marketing" />
<user name="admin" password="password" roles="sales,marketing" />
*** End Snippet ***
Sorry this is so long, but just tried to be very descriptive...
Any ideas would be appreciated, we are planing on moving to LDAP in the
future but we need an interim fix.
Thanks in advance,
Bob
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, email: [EMAIL PROTECTED]
