Mike La Budde wrote:
> I'm a bit at a loss as to how I'm supposed to configure the role-based
> security in my webapp's web.xml file.
>
> Consider the following scenario for my webapp:
>
> area roles
> /pages/customers/* sales,admin
> /pages/orders/* sales,clerks,admin
> /pages/products/* clerks,admin
>
One thing to remember is that you can list more than one <role-name> inside an
<auth-constraint>. Therefore, I would suggst making a separate security
constraint for each different set of roles. For example, the entry for
"/pages/products/*" would look like this:
<security-constraint>
<web-resource-collection>
<web-resource-name>Product Info</web-resource-name>
<url-pattern>/pages/products/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>clerks</role-name>
<role-name>admin</role-name>
</auth-constraint>
</security-constraint>
You would have a similar constraint for the other two protected areas.
(Note - the <web-resource-name> element is required by the DTD. Tomcat 3.x does
not check for this, but you will get bit if you move to a different servlet
container later.)
Craig McClanahan
