I recently moved from Tomcat 4 to 5, and have discovered that the
handling of overlapping security-constraint definitions in web.xml seems
to have changed. I am hoping someone can recommend the best way to
accomplish what I need to do under TC5.
I have two possible user roles. All users have the role "User"; in
addition, some have a second role, "Admin". I want to require at least
"User" role to access any page, but require "Admin" role to access a few
specific page patterns. So I have two security-constraint entries, like
this (this is a simplified version):
<security-constraint>
<web-resource-collection>
<web-resource-name>Secure content</web-resource-name>
<url-pattern>*.do</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>User</role-name>
</auth-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>Admin content</web-resource-name>
<url-pattern>/edit*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>Admin</role-name>
</auth-constraint>
</security-constraint>
This worked under TC4; since all users have the "User" role, everyone
could get at all my *.do pages, but users without the "Admin" role would
get a 403 if they tried to reach a page starting with "edit".
However, under TC5, it appears that permissions are adding rather than
subtracting, if that makes sense. In other words, the presence of the
blanket permission for *.do makes all pages accessible, and the attempt
to add an additional rule about /edit* pages is ignored.
I could obviously enumerate all the pages in both categories, but that
would be brittle in the face of new development. Is there a way to do
this with patterns as I did under TC4?
--
Craig Berry
Principal Architect and Technical Manager
PortBlue
(310) 566-7546
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
