Hi tomcat users,
I am using Tomcat 6.0.20 and have successfully implemented a lockout
realm with nested JDBCRealm and JNDIRealm. The security constraint has
also been setup in my application WEB-INF/web.xml file:
<auth-constraint>
<!-- Anyone with one of the listed roles may access this area -->
<role-name>*</role-name>
</auth-constraint>
User is now authenticated via JDBCRealm followed by JNDIRealm and
would be able to access protected pages with any role.
The question I have is how can I deny a group of users with a
particular role to all protected pages even if they can provide
correct combination of username/password?
Would it also be possible to change the behavior of the
combinedRealm/LockoutRealm such that if username is found in prior
realm and password is incorrect, then it skips the other realms? It
only look into the other realms if username is not found in prior
realms.
Please advise. Appreciate it!
Regards,
Clement
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
