How to set up a security constraint?

Fri, 30 Aug 2002 07:08:18 -0700 


Hi,

I have a web site with the following directory structure:

root/admin/sysop.

I only want certain people to have access to the admin section and only
other people to have access to the sysop section.

I have created two users in the  tomcat-users.xml file:

  <role rolename="sysop"/>
  <role rolename="admin"/>
  <user username="admin" password="test1" roles="admin"/>
  <user username="sysop" password="test2" roles="sysop"/>

In the server.xml file I have uncommented the:

<Realm className="org.apache.catalina.realm.MemoryRealm" /> line.

Then in the web.xml file I have added the following:

  <security-constraint>
    <web-resource-collection>
        <web-resource-name>Admin Pages</web-resource-name>
        <url-pattern>/admin</url-pattern>
     </web-resource-collection>
    <auth-constraint>
        <role-name>admin</role-name>
    </auth-constraint>
   </security-constraint>

  <security-constraint>
    <web-resource-collection>
        <web-resource-name>Sysop Pages</web-resource-name>
        <url-pattern>/admin/sysop/*</url-pattern>
     </web-resource-collection>
    <auth-constraint>
        <role-name>sysop</role-name>
    </auth-constraint>
   </security-constraint>

   <login-config>
    <auth-method>BASIC</auth-method>
    <realm-name>Admin Pages</realm-name>
   </login-config>

   <login-config>
    <auth-method>BASIC</auth-method>
    <realm-name>Sysop Pages</realm-name>
   </login-config>

This is where my problem is. User admin and sysop can access both the admin
and the sysop sections. I must have set the security constraint incorrect.
Can someone please point out what is wrong.

Thanks

Alex


----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
This e-mail may be privileged and/or confidential, and the sender does not waive any 
related rights and obligations. Any distribution, use or copying of this e-mail or the 
information it contains by other than an intended recipient is unauthorized. If you 
received this e-mail in error, please advise me (by return e-mail or otherwise) 
immediately. 

Ce courriel est confidentiel et protégé. L'expéditeur ne renonce pas aux droits et 
obligations qui s'y rapportent. Toute diffusion, utilisation ou copie de ce message ou 
des renseignements qu'il contient par une personne autre que le (les) destinataire(s) 
désigné(s) est interdite. Si vous recevez ce courriel par erreur, veuillez m'en aviser 
immédiatement, par retour de courriel ou par un autre moyen. 


==============================================================================

Reply via email to