It's a Tomcat implementation detail, but I believe that 4.1.x does a first-match (so moving "/*" to the end of the list should work). The Servlet 2.4 spec is much more specific about what to do in your case, so Tomcat 5 and WebLogic should do the same thing when they come out.
"Madere, Colin" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] > So I looked at the servlet spec, but it doesn't specify (as far as I read) > how hierarchical security constraints should work and Tomcat 4.1.27 seems to > not do hiarachical constraints :) Also searching the list I didn't turn up > results of this type, although I swear I've seen this issue before... > > I want to secure "/*" with a standard role and then "/stuff1" with another > role and "/stuff2" with yet another role. > > So I put in the web.xml: > > <security-constraint> > <web-resource-collection> > <web-resource-name>General Secured content root</web-resource-name> > <url-pattern>/*</url-pattern> > <http-method>GET</http-method> > <http-method>POST</http-method> > </web-resource-collection> > <auth-constraint> > <role-name>standard</role-name> > </auth-constraint> > </security-constraint> > > <security-constraint> > <web-resource-collection> > <web-resource-name>General Secured content root</web-resource-name> > <url-pattern>/stuff1</url-pattern> > <http-method>GET</http-method> > <http-method>POST</http-method> > </web-resource-collection> > <auth-constraint> > <role-name>usertype1</role-name> > </auth-constraint> > </security-constraint> > > <security-constraint> > <web-resource-collection> > <web-resource-name>General Secured content root</web-resource-name> > <url-pattern>/stuff2</url-pattern> > <http-method>GET</http-method> > <http-method>POST</http-method> > </web-resource-collection> > <auth-constraint> > <role-name>usertype2</role-name> > </auth-constraint> > </security-constraint> > > But the second two seem to be overriden by the first. (A link on a WebLogic > site shows the above to work, but I don't have WebLogic) > > Is this known behavior or did I miss something? --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]