Re: role-based security how to?

Wed, 13 Dec 2000 13:23:22 -0800 

Thanks Craig!

I had tried defining several security-constraints like this:

     <security-constraint>
         <web-resource-collection>
             <web-resource-name>customers</web-resource-name>
             <url-pattern>/pages/customers/*</url-pattern>
         </web-resource-collection>
         <auth-constraint>
             <role-name>sales</role-name>
             <role-name>admin</role-name>
         </auth-constraint>
     </security-constraint>

     <security-constraint>
         <web-resource-collection>
             <web-resource-name>orders</web-resource-name>
             <url-pattern>/pages/orders/*</url-pattern>
         </web-resource-collection>
         <auth-constraint>
             <role-name>sales</role-name>
             <role-name>clerks</role-name>
             <role-name>admin</role-name>
         </auth-constraint>
     </security-constraint>

     <security-constraint>
         <web-resource-collection>
             <web-resource-name>products</web-resource-name>
             <url-pattern>/pages/products/*</url-pattern>
         </web-resource-collection>
         <auth-constraint>
             <role-name>clerks</role-name>
             <role-name>admin</role-name>
         </auth-constraint>
     </security-constraint>

However, it blew up Tomcat and closed my console window! (I'm running under 
Win NT 4.0). So I just figured that I was specifying these wrong.

Turns out the above is correct and I had introduced a different problem, 
which caused it to blow up....

Mike



At 12/13/2000 11:37 AM -0800, you wrote:
>Mike La Budde wrote:
>
> > I'm a bit at a loss as to how I'm supposed to configure the role-based
> > security in my webapp's web.xml file.
> >
> > Consider the following scenario for my webapp:
> >
> > area                            roles
> > /pages/customers/*              sales,admin
> > /pages/orders/*         sales,clerks,admin
> > /pages/products/*               clerks,admin
> >
>
>One thing to remember is that you can list more than one <role-name> inside an
><auth-constraint>.  Therefore, I would suggst making a separate security
>constraint for each different set of roles.  For example, the entry for
>"/pages/products/*" would look like this:
>
>     <security-constraint>
>         <web-resource-collection>
>             <web-resource-name>Product Info</web-resource-name>
>             <url-pattern>/pages/products/*</url-pattern>
>         </web-resource-collection>
>         <auth-constraint>
>             <role-name>clerks</role-name>
>             <role-name>admin</role-name>
>         </auth-constraint>
>     </security-constraint>
>
>You would have a similar constraint for the other two protected areas.
>
>(Note - the <web-resource-name> element is required by the DTD. Tomcat 3.x 
>does
>not check for this, but you will get bit if you move to a different servlet
>container later.)
>
>Craig McClanahan

Reply via email to