Trouble understanding security constraints

Wed, 08 Feb 2006 15:20:57 -0800 

My normal deployment of Tomcat is behind apache2, and up to now I have been 
using basic authentication defined by Apache's configuration file as to who 
has access to what.

I am about to implement the piece of the application that allows users to 
change their own passwords, and the administrator to set up and administer 
users.

In order to develop and test the application where I am only running tomcat 
(controlled via eclipse) I need to replicate the security controls I will 
eventually be putting in place via apache.

given a servlet application called /usermgr, then relative to that root, I 
need url patterns /* to require that any user who has an entry in the user 
table of the JDBCRealm I am using is prompted to login, and must successfully 
do so, whereas to access a url pattern of /admin/* I need to ensure that the 
person who has logged in has the role of 'admin'.

I think I need something like this in my web.xml file.  Have I understood this 
correctly?

<security-constraint>
        <web-resource-collection>
                <web-resource-name> 
                        Valid Users 
                </web-resource-name>
                <url-pattern> /* </url-pattern>
                </web-resource-collection>
        <auth-constraint>
                        <role-name>*</role-name>
        </auth-constraint>
</security-constraint>

<security-constraint>
        <web-resource-collection>
                <web-resource-name> 
                        Site Admin 
                </web-resource-name>
                <url-pattern> /admin/* </url-pattern>
                </web-resource-collection>
        <auth-constraint>
                        <role-name>admin</role-name>
        </auth-constraint>
</security-constraint>

but where I am stuck is with the login config

        <login-config>
        <auth-method>BASIC</auth-method>
        <realm-name></realm-name>
        </login-config>

Is realm name just some descriptive text to prompt the user with, or has it 
any other significance, and am I limited to only one user prompt for both 
security constraints?

Finally, what does security role mean within there.  ie do I need the 
following

  <security-role>
    <description>Site administrator</description>
    <role-name>admin</role-name>
  </security-role>

and what does it acutally mean?




-- 
Alan Chandler
http://www.chandlerfamily.org.uk
Open Source. It's the difference between trust and antitrust.

---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to