Luke,
I stand corrected. It is the '*' role behaviour that should be used. The lack of any role means no access. I knew the 2.3 spec had defined both these cases, but got them mixed up. Jetty4 will definitely support this style of security constraint soon. I think Jetty3 can also be made to support this without breaking any existing code (but I'll think about this a bit more before changing this). thanks Luke Taylor wrote: > Greg Wilkins wrote: > > > Cristoph, > > > > Eitherway, you do not want the semantics of NONE, you want the user > > to be authenticated, but you do not care what group they are in. > > > > Again, Jetty has an extension to the spec to support this. All users > > are in the role org.mortbay.http.User. However this is implemented > > in the HashUserRealm which is not used by JBoss. > > > > So for now, you must define a role that all your JBoss users are in > > and specify an AuthConstraint for that role. > > Hi Greg, > > Wouldn't this be the same as using "*" for the role-name? I had a brief > look at the servlet 2.3 spec before replying previously and that's the > syntax it uses for "all roles". So it should then perform authentication > and allow any user who has a role recognised by the application. > > Luke. -- Greg Wilkins<[EMAIL PROTECTED]> GB Phone: +44-(0)7092063462 Mort Bay Consulting Australia and UK. Mbl Phone: +61-(0)4 17786631 http://www.mortbay.com AU Phone: +61-(0)2 98107029 _______________________________________________ Jboss-development mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-development