Hi Alex, I don't think you can put two security constraints on the same subdirectory of your web application. You're specifying the same url-pattern for both and I would guess that one is overriding the other. What I've seen typically done is make subdirectories for each role in your application. So for the admin role you'd have <url-pattern>/admin/*</url-pattern>. Then any pages under there would only be accessible to someone with admin role.
-Neal On June 10, 2002 05:00 am, you wrote: > Hi, > > I have problems with defining security constraints in web.xml. I > defined two roles. For each role I defined its own security-constraint. > But only the first defined constraint works properly. It seems like the > constraint for the second role is omitted. And accessing restricted urls > with the second role results in "Access to requested resource has been > denied". If I change the order of security-constraint elements in web.xml > then other role is authenticated/authorized properly. > > Has anyone experienced such a problem? What do I do wrong? > > TIA, > alex > > Environment: JBoss-3.1.0alpha/Tomcat-4.0.2, Win2000, JDK-1.4 > > Here is the security constraints: > <security-constraint> > <web-resource-collection> > <web-resource-name>MTCatalog Admin</web-resource-name> > <description>admin constraint</description> > <url-pattern>/*</url-pattern> > <http-method>HEAD</http-method> > <http-method>GET</http-method> > <http-method>POST</http-method> > <http-method>PUT</http-method> > <http-method>DELETE</http-method> > </web-resource-collection> > <auth-constraint> > <role-name>Admin</role-name> > </auth-constraint> > <user-data-constraint> > <description>no description</description> > <transport-guarantee>NONE</transport-guarantee> > </user-data-constraint> > </security-constraint> > > <security-constraint> > <web-resource-collection> > <web-resource-name>MTCatalog ResourceOwner</web-resource-name> > <description>owner constraint</description> > <url-pattern>/*</url-pattern> > <http-method>HEAD</http-method> > <http-method>GET</http-method> > <http-method>POST</http-method> > <http-method>PUT</http-method> > <http-method>DELETE</http-method> > </web-resource-collection> > <auth-constraint> > <role-name>ResourceOwner</role-name> > </auth-constraint> > <user-data-constraint> > <description>no description</description> > <transport-guarantee>NONE</transport-guarantee> > </user-data-constraint> > </security-constraint> _______________________________________________________________ Don't miss the 2002 Sprint PCS Application Developer's Conference August 25-28 in Las Vegas - http://devcon.sprintpcs.com/adp/index.cfm?source=osdntextlink _______________________________________________ JBoss-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-user
