> From: Christopher Schultz [mailto:ch...@christopherschultz.net] > Subject: Re: Authentication without Authorization ( JNDI Realm ) > > Technically speaking, this will require authentication but then let > anyone holding any role defined in web.xml to access any page on your > site.
But the valid roles still have to be listed in web.xml to be compliant with the spec. > Practically speaking, you don't even need to define the roles in > web.xml because (last time I checked), Tomcat treats '*' as > "authenticated, regardless of roles". That was a bug, now fixed: http://marc.info/?l=tomcat-user&m=123568422715010&w=2 Note that the spec states that "*" means any defined role, not just any role: "The special role name “*” is a shorthand for all role names defined in the deployment descriptor." - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
