On Tue, 11 Jun 2002, Dennis van den Berg wrote:
> Date: Tue, 11 Jun 2002 13:02:46 +0200
> From: Dennis van den Berg <[EMAIL PROTECTED]>
> Reply-To: Tomcat Users List <[EMAIL PROTECTED]>
> To: [EMAIL PROTECTED]
> Subject: security-constraints
>
> Hi all,
>
> According to the servlet 2.3 specs, the longest path-prefix is used when
> determining which servlet-mapping or which security-constraint is to be
> used.
>
Tomcat actually implements "first matching security constraint", rather
than "longest matching security constraint", so you need to swap the order
of these two in order to get what you want.
Clarifying the rules for this is under discussion for Servlet 2.4.
Craig
> However when I specify the following security-constraint's:
>
> <security-constraint>
> <web-resource-collection>
> <web-resource-name>Collection1</web-resource-name>
> <url-pattern>/*</url-pattern>
> </web-resource-collection>
> <auth-constraint>
> <role-name>role1</role-name>
> </auth-constraint>
> <user-data-constraint>
> <transport-guarantee>NONE</transport-guarantee>
> </user-data-constraint>
> </security-constraint>
> <security-constraint>
> <web-resource-collection>
> <web-resource-name>Collection2</web-resource-name>
> <url-pattern>/view/*</url-pattern>
> </web-resource-collection>
> <auth-constraint>
> <role-name>role2</role-name>
> </auth-constraint>
> <user-data-constraint>
> <transport-guarantee>NONE</transport-guarantee>
> </user-data-constraint>
> </security-constraint>
>
> A user which is in role2 is denied access to url's which start with /view/*, and it
>seems that the order in which I specify the security-constraint's mathers?
>
> Am I missing something?
>
> Thanks,
>
>
> --
> To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]>
> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
>
>
--
To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
