Hi,
I'm a little bit confused about the use of the security-role tag - generally
and especially in Tomcat. The WebApp DTD refers for auth-constraint to this
element commented as follows:
"... The role-name used here must either correspond to the role-name of one
of the security-role elements defined for this web application, or be the
specially reserved role-name "*" that is a compact syntax for indicating all
roles in the web application. ... If no roles are defined, no user is allowed
access to the portion of the web application described by the containing
security-constraint..."
I've tried to do this with Tomcat (4.1.16) but it didn't work as described.
Tested with this web.xml (test.jsp also needed):
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE web-app
PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN"
"http://java.sun.com/dtd/web-app_2_3.dtd";>
<web-app>
<servlet>
<servlet-name>RoleRef</servlet-name>
<jsp-file>/test.jsp</jsp-file>
</servlet>
<servlet-mapping>
<servlet-name>
RoleRef
</servlet-name>
<url-pattern>
/test
</url-pattern>
</servlet-mapping>
<security-constraint>
<web-resource-collection>
<web-resource-name>WebCollection</web-resource-name>
<url-pattern>/test</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>default</realm-name>
</login-config>
<!-- uncommenting security-role causes nothing -->
<security-role>
<role-name>specialrole</role-name>
</security-role>
</web-app>
Only specialRole should have the permission to access the resource test.jsp,
if uncommented no user should have this permission - but in Tomcat any role
(e.g. tomcat, from global context) has in both cases the permission ...
Is this wanted behaviour or is this a bug?
Regards,
Thomas Paradies
--
To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
