This was reported in https://issues.apache.org/jira/browse/GERONIMO-1585#action_12436703 Please note that the presence/absence of authorization constraint and a role ( same or different ) in second security constraint does not make any difference.
Thanks Anita --- David Jencks <[EMAIL PROTECTED]> wrote: > It looks to me as if it should be allowed. What is the error? > > thanks > david jencks > > On Jan 19, 2007, at 7:41 PM, anita kulshreshtha wrote: > > > We do not allow this combintaion of URL patterns in > > web-resource-collection. This is in line with JACC > > http://java.sun.com/j2ee/1.4/docs/api/javax/security/jacc/ > > WebResourcePermission.html > > > > <security-constraint> > > <web-resource-collection> > > <web-resource-name>Admin Role</web-resource-name> > > <url-pattern>*.do</url-pattern> > > </web-resource-collection> > > <auth-constraint> > > <role-name>content-administrator</role-name> > > </auth-constraint> > > </security-constraint> > > > > <security-constraint> > > <web-resource-collection> > > <web-resource-name>Unrestricted > ACCESS</web-resource-name> > > <url-pattern>/login.do</url-pattern> > > </web-resource-collection> > > </security-constraint> > > > > The following url-patterns are allowed with *.do - > > - /login/*, /login.do/* , i.e. path prefix patterns > > - login.do, i.e. Exact patterns matching *.do > > - login.do/, login.do/* > > Does anyone know why the above web.xml fragment should or > should > > not be allowed? > > > > Thanks > > Anita > > > > > > > > > ______________________________________________________________________ > > > ______________ > > Get your own web address. > > Have a HUGE year through Yahoo! Small Business. > > http://smallbusiness.yahoo.com/domains/?p=BESTDEAL > > ____________________________________________________________________________________ Do you Yahoo!? Everyone is raving about the all-new Yahoo! Mail beta. http://new.mail.yahoo.com