On Sat, 5 Jul 2003, Navjot Singh wrote:
> Date: Sat, 5 Jul 2003 21:39:34 +0530 > From: Navjot Singh <[EMAIL PROTECTED]> > Reply-To: Struts Users Mailing List <[EMAIL PROTECTED]> > To: Struts Users Mailing List <[EMAIL PROTECTED]> > Subject: [OT] - Realm Security - How to set overlapping constraints? > > hi, > > It may be quite simple but it's not working for me. > > I have a set of servlets > /myapp/p/ab.do > /myapp/p/groups.do > /myapp/p/contacts.do > > AND I want all of them to be accessible to roles "user" and "admin". > > There is 1 more servlet that MUST be accessible ONLY to "admin" > /myapp/p/status.do > > I am setting config like given below. > But still, "user" roles are being able to access status.do > > What am i doing wrong? > > thanks for any help > -navjot singh > > __My XML Declarations__ > > <security-constraint> > <web-resource-collection> > <web-resource-name>Protected</web-resource-name> > <url-pattern>*.do</url-pattern> > <http-method>GET</http-method> > <http-method>POST</http-method> > </web-resource-collection> > <auth-constraint> > <role-name>user</role-name> > <role-name>admin</role-name> > </auth-constraint> > </security-constraint> The list of security roles inside an <auth-constraint> is an *or* list, so the container is doing exactly what you told it to do -- allow anyone with either "user" or "admin" to access all "*.do" URLs. > > <security-constraint> > <web-resource-collection> > <web-resource-name>Show Status</web-resource-name> > <url-pattern>/p/status.do</url-pattern> > <http-method>GET</http-method> > <http-method>POST</http-method> > </web-resource-collection> > <auth-constraint> > <role-name>admin</role-name> > </auth-constraint> > </security-constraint> > The fact that this one is second means that it will never get used, because "/p/status.do" satisfies the matching pattern on the first test. Try reversing your constraints. Another alternative is to do some of the role-based protection on Struts actions in struts-config.xml instead, by using the "role" attribute on the <action> element. That way, you can have just your first constraint above (the one matching "*.do") to force people to log on, and then do fine grained control at the Struts level. > <security-role> > <role-name>admin</role-name> > </security-role> > > <security-role> > <role-name>user</role-name> > </security-role> > Craig --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
