[JBoss-user] web security constraints

Mon, 10 Jun 2002 01:49:48 -0700 

Hi,

I have problems with defining security constraints in web.xml. I
defined two roles. For each role I defined its own security-constraint.
But only the first defined constraint works properly. It seems like the constraint
for the second role is omitted. And accessing restricted urls with the
second role results in "Access to requested resource has been denied".
If I change the order of security-constraint elements in web.xml then
other role is authenticated/authorized properly.

Has anyone experienced such a problem? What do I do wrong?

TIA,
alex

Environment: JBoss-3.1.0alpha/Tomcat-4.0.2, Win2000, JDK-1.4

Here is the security constraints:
  <security-constraint>
    <web-resource-collection>
      <web-resource-name>MTCatalog Admin</web-resource-name>
      <description>admin constraint</description>
      <url-pattern>/*</url-pattern>
      <http-method>HEAD</http-method>
      <http-method>GET</http-method>
      <http-method>POST</http-method>
      <http-method>PUT</http-method>
      <http-method>DELETE</http-method>
    </web-resource-collection>
    <auth-constraint>
      <role-name>Admin</role-name>
    </auth-constraint>
    <user-data-constraint>
      <description>no description</description>
      <transport-guarantee>NONE</transport-guarantee>
    </user-data-constraint>
  </security-constraint>

  <security-constraint>
    <web-resource-collection>
      <web-resource-name>MTCatalog ResourceOwner</web-resource-name>
      <description>owner constraint</description>
      <url-pattern>/*</url-pattern>
      <http-method>HEAD</http-method>
      <http-method>GET</http-method>
      <http-method>POST</http-method>
      <http-method>PUT</http-method>
      <http-method>DELETE</http-method>
    </web-resource-collection>
    <auth-constraint>
      <role-name>ResourceOwner</role-name>
    </auth-constraint>
    <user-data-constraint>
      <description>no description</description>
      <transport-guarantee>NONE</transport-guarantee>
    </user-data-constraint>
  </security-constraint>

-- 
Best regards,
 Alex Loubyansky



_______________________________________________________________

Don't miss the 2002 Sprint PCS Application Developer's Conference
August 25-28 in Las Vegas - 
http://devcon.sprintpcs.com/adp/index.cfm?source=osdntextlink

_______________________________________________
JBoss-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/jboss-user

Reply via email to