-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Clement,
On 6/24/2009 2:57 AM, Clement Chong wrote: > <auth-constraint> > <!-- Anyone with one of the listed roles may access this area --> > <role-name>*</role-name> > </auth-constraint> > > User is now authenticated via JDBCRealm followed by JNDIRealm and > would be able to access protected pages with any role. > > The question I have is how can I deny a group of users with a > particular role to all protected pages even if they can provide > correct combination of username/password? Instead of specifying '*' as the allowed role (which means "any defined role"), you should specify all roles that /should/ have access and omit those that shouldn't. You could also remove your <auth-constraint> and implement your own authorization in a filter. > Would it also be possible to change the behavior of the > combinedRealm/LockoutRealm such that if username is found in prior > realm and password is incorrect, then it skips the other realms? It > only look into the other realms if username is not found in prior > realms. I'm sure you could do that: you're the author of that realm! - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkpCO/UACgkQ9CaO5/Lv0PAvhQCeKFfpRHbwpnqVywYeQqjZqs5f ksAAnRpi75K66uNf422xWRIBCOdWoGSL =fYkB -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
