Hi Tim, Basically the first realm contains list of users we want to deny access. The password would be dynamic, making it difficult to get through. Well, maybe I should really consider working with specific roles. That is, grant users with roles that would allow them access. Then I would probably just need a single realm for authentication.
However, this would mean almost all users require such a role granted except for some whom we like deny access. Then every new users would also probably need granted the role. A little extra work there, besides working with IT to get the new role setup.. A black list would work better than a white list in this case. Thanks, Clement On Wed, Jun 24, 2009 at 7:02 PM, Tim Funk <funk...@apache.org> wrote: > Do you really want to have allow different passwords for the same user id? > Sounds dangerous. > > For different access control restrictions you needs to set up various > roles, which are names chosen by you. Which can be something like > - reader, writer > - admin, superuser, user > - it, sales, marketing, hr > > Then your role names * would be gone and you would need a > <security-constraint> for each resource category you need to protect. > (Google for more details on <security-constraint> for more help on that) > > -Tim > > > Clement Chong wrote: > >> Hi tomcat users, >> >> I am using Tomcat 6.0.20 and have successfully implemented a lockout realm >> with nested JDBCRealm and JNDIRealm. The security constraint has also been >> setup in my application WEB-INF/web.xml file: >> >> <auth-constraint> >> <!-- Anyone with one of the listed roles may access this area --> >> <role-name>*</role-name> >> </auth-constraint> >> >> User is now authenticated via JDBCRealm followed by JNDIRealm and would be >> able to access protected pages with any role. >> >> The question I have is how can I deny a group of users with a particular >> role to all protected pages even if they can provide correct combination >> of >> username/password? >> >> Would it also be possible to change the behavior of the >> combinedRealm/LockoutRealm such that if username is found in prior realm >> and >> password is incorrect, then it skips the other realms? It only look into >> the >> other realms if username is not found in prior realms. >> > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
