> Date: Mon, 4 Mar 2013 23:32:34 +0100
> From: a...@ice-sa.com
> To: users@tomcat.apache.org
> Subject: Re: Tomcat Built-in WinAuth - NEW THREAD
> 
> Mark Thomas wrote:
> > On 04/03/2013 21:47, Chris Fors wrote:
> >> Could you please expand on what constraints you were referring to
> > 
> > Security constraints in web.xml
> > 
> >> and how they are best implemented, where, and in what syntax e.g. if 
> >> implemented in web.xml what are the correct tags.
> > 
> > All defined in  the Servlet spec.
> > 
> >> If implemented in web.xml what are the correct tags. I have not found this 
> >> clarified anywhere, yet.
> > 
> > Again, see the servlet spec.
> 
> You will find an example in the "manager" webapp that comes with Tomcat.
> Look at (tomcat)/webapps/manager/WEB-INF/web.xml, parts like this :
> 
>    <security-constraint>
>      <web-resource-collection>
>        <web-resource-name>HTML Manager interface (for 
> humans)</web-resource-name>
>        <url-pattern>/html/*</url-pattern>
>      </web-resource-collection>
>      <auth-constraint>
>         <role-name>manager-gui</role-name>
>      </auth-constraint>
>    </security-constraint>
> 
> In not-quite-technical terms :
> 
> The above, present at the level of the webapp, specifies a "role" which the 
> authenticated 
> user must have, in order to be able to access this part of the webapp.
> To determine if the user has that role, Tomcat must first know the user. This 
> is what 
> "triggers" the authentication mechanism.
> If nothing forces Tomcat to authenticate the user of this webapp, the 
> authentication 
> method may well be specified, but it will not be invoked.
> 
 Was hoping to not have to hunt through the complete JSR 315 specification.  I 
will give the  constraint model above a shot tomorrow. Thanks, Chris 
                                          

Reply via email to