juanmanuelsanchez wrote: > Im trying to make tomcat work with my jsecurity setup but Im having some > problems. > My jsp's are in different folders to make them more organized in sake of > security. So I have a main folder called JSP with 3 subfolders in it. > > So I have 3 <security-constraint> tags setup depending on the folder I want > to access so I have something like: > > <security-constraint> > <web-resource-collection> > <web-resource-name>Comun</web-resource-name> > <description> accessible by authenticated users of the DB > role</description> > <url-pattern>/JSP/Comun/*</url-pattern> > <http-method>GET</http-method> > <http-method>POST</http-method> > <http-method>PUT</http-method> > <http-method>DELETE</http-method> > </web-resource-collection> > <auth-constraint> > <description>Este rol tiene accesso limitado</description> > <role-name>manager</role-name> > <role-name>Administracion</role-name> > <role-name>Gerencia</role-name> > <role-name>Medico</role-name> > > </auth-constraint> > > > <user-data-constraint> > <transport-guarantee>CONFIDENTIAL</transport-guarantee> > </user-data-constraint> > > </security-constraint> > > <security-constraint> > <web-resource-collection> > <web-resource-name>Admin</web-resource-name> > <description> accessible by authenticated users of the DB > role</description> > <url-pattern>/JSP/Admin/*</url-pattern> > <http-method>GET</http-method> > <http-method>POST</http-method> > <http-method>PUT</http-method> > <http-method>DELETE</http-method> > </web-resource-collection> > <auth-constraint> > <description>Este rol tiene accesso limitado</description> > <role-name>Administracion</role-name> > > </auth-constraint> > > > <user-data-constraint> > <transport-guarantee>CONFIDENTIAL</transport-guarantee> > </user-data-constraint> > > </security-constraint> > > But this dosent seem to work, first of all the login page is not displayed > and everyone seems to have access to the whole app. > > The if I try > > <security-constraint> > <web-resource-collection> > <web-resource-name>MedPro</web-resource-name> > <description> accessible by authenticated users of the DB > role</description> > <url-pattern>/*</url-pattern> > <http-method>GET</http-method> > <http-method>POST</http-method> > <http-method>PUT</http-method> > <http-method>DELETE</http-method> > </web-resource-collection> > <auth-constraint> > <description>Este rol tiene accesso ilimitado</description> > <role-name>manager</role-name> > > </auth-constraint> > > > <user-data-constraint> > <transport-guarantee>CONFIDENTIAL</transport-guarantee> > </user-data-constraint> > > </security-constraint> > > Then I get the login page but only the manager can access, and the rest > cant.
So the login page is inside part of the app that has an auth constraint? Not sure if that'll mess things up, but you could try putting it in: /WEB-INF/login/login.jsp /WEB-INF/login/login-error.jsp ... where they'll be safe from prying eyes, but available to the application. What is your Realm config (don't forget to obscure any real passwords)? p > How can I make it work? > > Thanks. > > I have attached a file in case you want to see it more clearly. > > http://www.nabble.com/file/p21671743/sample.xml sample.xml --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
