On Dec 2, 2009, at 6:01 PM, Christopher Schultz wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Chuck, > > On 12/2/2009 5:15 PM, Caldarale, Charles R wrote: >>> From: Christopher Schultz [mailto:ch...@christopherschultz.net] >>> Subject: Re: Authentication without Authorization ( JNDI Realm ) >>> >>> Technically speaking, this will require authentication but then let >>> anyone holding any role defined in web.xml to access any page on your >>> site. >> >> But the valid roles still have to be listed in web.xml to be compliant with >> the spec. > > Yes. That's why I said "technically" and "practically". > >>> Practically speaking, you don't even need to define the roles in >>> web.xml because (last time I checked), Tomcat treats '*' as >>> "authenticated, regardless of roles". >> >> That was a bug, now fixed: >> http://marc.info/?l=tomcat-user&m=123568422715010&w=2 > > I'll have to look elsewhere in the code, then. What I saw in > GenericPrincipal clearly takes, ahem, liberties with the spec.
(don't know if this has been mentioned) There is the @PermitAll (and @DenyAll, @RolesAllowed) annotations. It requires a servlet 3.0 container or some framework that allows it (I like Jersey). best, -Rob --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
