> Date: Mon, 4 Mar 2013 23:32:34 +0100
> From: a...@ice-sa.com
> To: users@tomcat.apache.org
> Subject: Re: Tomcat Built-in WinAuth - NEW THREAD
>
> Mark Thomas wrote:
> > On 04/03/2013 21:47, Chris Fors wrote:
> >> Could you please expand on what constraints you were referring to
> >
> > Security constraints in web.xml
> >
> >> and how they are best implemented, where, and in what syntax e.g. if
> >> implemented in web.xml what are the correct tags.
> >
> > All defined in the Servlet spec.
> >
> >> If implemented in web.xml what are the correct tags. I have not found this
> >> clarified anywhere, yet.
> >
> > Again, see the servlet spec.
>
> You will find an example in the "manager" webapp that comes with Tomcat.
> Look at (tomcat)/webapps/manager/WEB-INF/web.xml, parts like this :
>
> <security-constraint>
> <web-resource-collection>
> <web-resource-name>HTML Manager interface (for
> humans)</web-resource-name>
> <url-pattern>/html/*</url-pattern>
> </web-resource-collection>
> <auth-constraint>
> <role-name>manager-gui</role-name>
> </auth-constraint>
> </security-constraint>
>
> In not-quite-technical terms :
>
> The above, present at the level of the webapp, specifies a "role" which the
> authenticated
> user must have, in order to be able to access this part of the webapp.
> To determine if the user has that role, Tomcat must first know the user. This
> is what
> "triggers" the authentication mechanism.
> If nothing forces Tomcat to authenticate the user of this webapp, the
> authentication
> method may well be specified, but it will not be invoked.
>
Was hoping to not have to hunt through the complete JSR 315 specification. I
will give the constraint model above a shot tomorrow. Thanks, Chris