On Friday, December 6, 2002, at 07:05 AM, Thomas Paradies wrote:
Hi,
I'm a little bit confused about the use of the security-role tag -
generally
and especially in Tomcat. The WebApp DTD refers for auth-constraint to
this
element commented as follows:
"... The role-name used here must either correspond to the role-name
of one
of the security-role elements defined for this web application, or be
the
specially reserved role-name "*" that is a compact syntax for
indicating all
roles in the web application. ... If no roles are defined, no user is
allowed
access to the portion of the web application described by the
containing
security-constraint..."
I've tried to do this with Tomcat (4.1.16) but it didn't work as
described.
Tested with this web.xml (test.jsp also needed):
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE web-app
PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN"
"http://java.sun.com/dtd/web-app_2_3.dtd";>
<web-app>
<servlet>
<servlet-name>RoleRef</servlet-name>
<jsp-file>/test.jsp</jsp-file>
</servlet>
<servlet-mapping>
<servlet-name>
RoleRef
</servlet-name>
<url-pattern>
/test
</url-pattern>
</servlet-mapping>
<security-constraint>
<web-resource-collection>
<web-resource-name>WebCollection</web-resource-name>
<url-pattern>/test</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
This means that ALL roles can access this resource. When you specify
*, you don't need to specify security-role below, but if you DO specify
a role or roles, then it is necessary to define roles. At least, this
is my impression from the specs. If you want your desired behavior,
change role-name to use specialrole.
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>default</realm-name>
</login-config>
<!-- uncommenting security-role causes nothing -->
<security-role>
<role-name>specialrole</role-name>
</security-role>
</web-app>
Only specialRole should have the permission to access the resource
test.jsp,
if uncommented no user should have this permission - but in Tomcat any
role
(e.g. tomcat, from global context) has in both cases the permission ...
Is this wanted behaviour or is this a bug?
Regards,
Thomas Paradies
--
To unsubscribe, e-mail:
<mailto:[EMAIL PROTECTED]>
For additional commands, e-mail:
<mailto:[EMAIL PROTECTED]>
--
To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
