e.g.
consider the following web.xml fragments:
<!-- list of web app level roles -->
<security-role>
<role-name>fred</role-name>
</security-role>
and in the servlet definition we have
<!-- list of aliases for roles that the servlet will use ->
<security-role-ref>
<role-name>alias_for_fred</role-name>
<role-link>fred</role-link>
</security-role-ref>
the following servlet code will fail:
...isUserInRole() only works if the role passed is identical to that defined in the tomcat.users file.
if ( req.isUserInRole("alias_for_fred") ) {
out.println("user validated for role") ;
}
else {
out.println("user not validated for role");
}
This breaks the Servlet 2.2 specification on role aliasing - if there's a role-ref set up, then isUserInRole should
respect this additional mapping.
-Thom
Mike La Budde wrote:
Thanks Craig!I had tried defining several security-constraints like this:
<security-constraint>
<web-resource-collection>
<web-resource-name>customers</web-resource-name>
<url-pattern>/pages/customers/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>sales</role-name>
<role-name>admin</role-name>
</auth-constraint>
</security-constraint><security-constraint>
<web-resource-collection>
<web-resource-name>orders</web-resource-name>
<url-pattern>/pages/orders/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>sales</role-name>
<role-name>clerks</role-name>
<role-name>admin</role-name>
</auth-constraint>
</security-constraint><security-constraint>
<web-resource-collection>
<web-resource-name>products</web-resource-name>
<url-pattern>/pages/products/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>clerks</role-name>
<role-name>admin</role-name>
</auth-constraint>
</security-constraint>However, it blew up Tomcat and closed my console window! (I'm running under
Win NT 4.0). So I just figured that I was specifying these wrong.Turns out the above is correct and I had introduced a different problem,
which caused it to blow up....Mike
At 12/13/2000 11:37 AM -0800, you wrote:
>Mike La Budde wrote:
>
> > I'm a bit at a loss as to how I'm supposed to configure the role-based
> > security in my webapp's web.xml file.
> >
> > Consider the following scenario for my webapp:
> >
> > area roles
> > /pages/customers/* sales,admin
> > /pages/orders/* sales,clerks,admin
> > /pages/products/* clerks,admin
> >
>
>One thing to remember is that you can list more than one <role-name> inside an
><auth-constraint>. Therefore, I would suggst making a separate security
>constraint for each different set of roles. For example, the entry for
>"/pages/products/*" would look like this:
>
> <security-constraint>
> <web-resource-collection>
> <web-resource-name>Product Info</web-resource-name>
> <url-pattern>/pages/products/*</url-pattern>
> </web-resource-collection>
> <auth-constraint>
> <role-name>clerks</role-name>
> <role-name>admin</role-name>
> </auth-constraint>
> </security-constraint>
>
>You would have a similar constraint for the other two protected areas.
>
>(Note - the <web-resource-name> element is required by the DTD. Tomcat 3.x
>does
>not check for this, but you will get bit if you move to a different servlet
>container later.)
>
>Craig McClanahan
