So I looked at the servlet spec, but it doesn't specify (as far as I read)
how hierarchical security constraints should work and Tomcat 4.1.27 seems to
not do hiarachical constraints :) Also searching the list I didn't turn up
results of this type, although I swear I've seen this issue before...
I want to secure "/*" with a standard role and then "/stuff1" with another
role and "/stuff2" with yet another role.
So I put in the web.xml:
<security-constraint>
<web-resource-collection>
<web-resource-name>General Secured content root</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>standard</role-name>
</auth-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>General Secured content root</web-resource-name>
<url-pattern>/stuff1</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>usertype1</role-name>
</auth-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>General Secured content root</web-resource-name>
<url-pattern>/stuff2</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>usertype2</role-name>
</auth-constraint>
</security-constraint>
But the second two seem to be overriden by the first. (A link on a WebLogic
site shows the above to work, but I don't have WebLogic)
Is this known behavior or did I miss something?
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
