Perhaps you should try using distinct directories instead? That should work a little more cleanly.
Todd ----- Original Message ----- From: <[EMAIL PROTECTED]> To: "Tomcat Users List" <[EMAIL PROTECTED]> Sent: Friday, August 29, 2003 3:01 AM Subject: Broken?: security constraint for actions > Hello, > > I have set up a struts-like web app running under Tomcat 4.1.27 on > win2000 and JDK1.4.2. I want to restrict access parts of my app based > on the "action" parameter in the URL. That is, calls to > > /controller?action=deposit > > can be made by members of the group "user". But, say, calls to > > /controller?action=withdraw > > can only be made by member of the group "admin". > > How can I protect these resources? If I try to use > > > <security-constraint> > <web-resource-collection> > <web-resource-name>ListAccounts</web-resource-name> > <description>The pages</description> > <url-pattern>/controller?action=withdraw</url-pattern> > </web-resource-collection> > <auth-constraint> > <role-name>admin</role-name> > </auth-constraint> > </security-constraint> > > The container ignores the constraint. What is wrong here? > > Also, I have seen web.xml files in which classes themselves are > constrained via a url-pattern such as > > <url-pattern>/WEB-INF/classes/a/b/Foo.class</url-pattern> > > If I try to use such restraints in Tomcat, they are not honored. > > Any ideas or references? > > Thanks > > Bruce Sams > > ===== > Dr. Bruce J. Sams, III > mediateam > Weidenweg 2, 85375 Neufahrn > Germany > tel: +49 (0) 8165/65095 > fax: +49 (0) 8165/65096 > web: http://www.mediateam.de > > > This communication may contain privileged > information. If you are not the intended recipient > please notify the sender immediately and destroy this e-mail. > > All unauthorised copying, disclosure or distribution of the > material in this e-mail or of parts hereof is strictly forbidden. > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]