<auth-constraint>
<role-name>*</role-name>
</auth-constraint>Will require authentication but not authorisation.
John.
Krause Karin wrote:
Hi all,
I've got a question regarding authentication. I wish to do
authentication without authorisation. So this means everybody
should be free to access my web-resource but I wish to know who it is.
Therefore the accessing user must login.
As probably everybody knows
here I can configure that by means of a security-constraint/login-config in my web.xml file.
Here is a little example:
<security-constraint>
<web-resource-collection>
<web-resource-name>Protect the Helloworld example</web-resource-name>
<description/>
<url-pattern>/servlet/HelloWorldExample</url-pattern>
<url-pattern>/servlet/SessionExample</url-pattern>
<http-method>POST</http-method>
<http-method>GET</http-method>
</web-resource-collection>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>public</realm-name>
</login-config>
Please remark that no auth-constraint is defined, because anybody should
have free access to this web-resource. So what I need is authentication without authorisation. The problem is that only if I define some auth-constraint in the security-constraint the
authenticate method of the Authenticator will be invoked. I think that the J2EE Standard
makes no restriction that authentication can only be used in combination with authorisation.
Am I wrong? Or is this a Tomcat bug?
Cheers Karin
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
