I have a "blanket" security-constraint defined in my conf/web.xml,
followed by a couple more specific security-constraints. However, it
appears that the more specific ones are not being picked up. When I
break in FormAuthenticator.invoke(), I can see in the constraints
variable (SecurityConstraint[]) that only my global
security-constraint is there so everything is requiring
authentication. What am I doing wrong? I want to configure Tomcat
such that /favicon.ico and /agentapp/* do not require authentication.
conf/web.xml snippet:
<security-constraint>
<web-resource-collection>
<web-resource-name>The entire SP</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>favicon.ico for browser
tabs</web-resource-name>
<url-pattern>/favicon.ico</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>agentapp</web-resource-name>
<url-pattern>/agentapp/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
