Do you really want to have allow different passwords for the same user
id? Sounds dangerous.
For different access control restrictions you needs to set up various
roles, which are names chosen by you. Which can be something like
- reader, writer
- admin, superuser, user
- it, sales, marketing, hr
Then your role names * would be gone and you would need a
<security-constraint> for each resource category you need to protect.
(Google for more details on <security-constraint> for more help on that)
-Tim
Clement Chong wrote:
Hi tomcat users,
I am using Tomcat 6.0.20 and have successfully implemented a lockout realm
with nested JDBCRealm and JNDIRealm. The security constraint has also been
setup in my application WEB-INF/web.xml file:
<auth-constraint>
<!-- Anyone with one of the listed roles may access this area -->
<role-name>*</role-name>
</auth-constraint>
User is now authenticated via JDBCRealm followed by JNDIRealm and would be
able to access protected pages with any role.
The question I have is how can I deny a group of users with a particular
role to all protected pages even if they can provide correct combination of
username/password?
Would it also be possible to change the behavior of the
combinedRealm/LockoutRealm such that if username is found in prior realm and
password is incorrect, then it skips the other realms? It only look into the
other realms if username is not found in prior realms.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
