Hi Neal, thanks for the answer. But I need to share some urls between different roles. I guess I should group shared url-patterns and specify a set of role-names for them and separately define each url-pattern that is allowed to be accessed only by proprietary role-name.
Thanks again! alex -----Original Message----- From: Neal Sanche <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Date: Mon, 10 Jun 2002 14:16:50 -0400 Subject: Re: [JBoss-user] web security constraints > Hi Alex, > > I don't think you can put two security constraints on the same subdirectory > of your web application. You're specifying the same url-pattern for both and > I would guess that one is overriding the other. What I've seen typically done > is make subdirectories for each role in your application. So for the admin > role you'd have <url-pattern>/admin/*</url-pattern>. Then any pages under > there would only be accessible to someone with admin role. > > -Neal > > On June 10, 2002 05:00 am, you wrote: > > Hi, > > > > I have problems with defining security constraints in web.xml. I > > defined two roles. For each role I defined its own security-constraint. > > But only the first defined constraint works properly. It seems like the > > constraint for the second role is omitted. And accessing restricted urls > > with the second role results in "Access to requested resource has been > > denied". If I change the order of security-constraint elements in web.xml > > then other role is authenticated/authorized properly. > > > > Has anyone experienced such a problem? What do I do wrong? > > > > TIA, > > alex > > > > Environment: JBoss-3.1.0alpha/Tomcat-4.0.2, Win2000, JDK-1.4 > > > > Here is the security constraints: > > <security-constraint> > > <web-resource-collection> > > <web-resource-name>MTCatalog Admin</web-resource-name> > > <description>admin constraint</description> > > <url-pattern>/*</url-pattern> > > <http-method>HEAD</http-method> > > <http-method>GET</http-method> > > <http-method>POST</http-method> > > <http-method>PUT</http-method> > > <http-method>DELETE</http-method> > > </web-resource-collection> > > <auth-constraint> > > <role-name>Admin</role-name> > > </auth-constraint> > > <user-data-constraint> > > <description>no description</description> > > <transport-guarantee>NONE</transport-guarantee> > > </user-data-constraint> > > </security-constraint> > > > > <security-constraint> > > <web-resource-collection> > > <web-resource-name>MTCatalog ResourceOwner</web-resource-name> > > <description>owner constraint</description> > > <url-pattern>/*</url-pattern> > > <http-method>HEAD</http-method> > > <http-method>GET</http-method> > > <http-method>POST</http-method> > > <http-method>PUT</http-method> > > <http-method>DELETE</http-method> > > </web-resource-collection> > > <auth-constraint> > > <role-name>ResourceOwner</role-name> > > </auth-constraint> > > <user-data-constraint> > > <description>no description</description> > > <transport-guarantee>NONE</transport-guarantee> > > </user-data-constraint> > > </security-constraint> > > _______________________________________________________________ > > Don't miss the 2002 Sprint PCS Application Developer's Conference > August 25-28 in Las Vegas - >http://devcon.sprintpcs.com/adp/index.cfm?source=osdntextlink > > _______________________________________________ > JBoss-user mailing list > [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/jboss-user > > ----- �������� ���������� �������� ���� @ukr.net �� http://freemail.ukr.net _______________________________________________________________ Don't miss the 2002 Sprint PCS Application Developer's Conference August 25-28 in Las Vegas - http://devcon.sprintpcs.com/adp/index.cfm?source=osdntextlink _______________________________________________ JBoss-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-user
