You can always to programmtic authorization via request.isUserInRole(userName)
-Tim
[EMAIL PROTECTED] wrote:
Hello,
I have set up a struts-like web app running under Tomcat 4.1.27 on
win2000 and JDK1.4.2. I want to restrict access parts of my app based
on the "action" parameter in the URL. That is, calls to
/controller?action=deposit
can be made by members of the group "user". But, say, calls to
/controller?action=withdraw
can only be made by member of the group "admin".
How can I protect these resources? If I try to use
<security-constraint>
<web-resource-collection>
<web-resource-name>ListAccounts</web-resource-name>
<description>The pages</description>
<url-pattern>/controller?action=withdraw</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>admin</role-name>
</auth-constraint>
</security-constraint>
The container ignores the constraint. What is wrong here?
Also, I have seen web.xml files in which classes themselves are constrained via a url-pattern such as
<url-pattern>/WEB-INF/classes/a/b/Foo.class</url-pattern>
If I try to use such restraints in Tomcat, they are not honored.
Any ideas or references?
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
