My normal deployment of Tomcat is behind apache2, and up to now I have been using basic authentication defined by Apache's configuration file as to who has access to what.
I am about to implement the piece of the application that allows users to change their own passwords, and the administrator to set up and administer users. In order to develop and test the application where I am only running tomcat (controlled via eclipse) I need to replicate the security controls I will eventually be putting in place via apache. given a servlet application called /usermgr, then relative to that root, I need url patterns /* to require that any user who has an entry in the user table of the JDBCRealm I am using is prompted to login, and must successfully do so, whereas to access a url pattern of /admin/* I need to ensure that the person who has logged in has the role of 'admin'. I think I need something like this in my web.xml file. Have I understood this correctly? <security-constraint> <web-resource-collection> <web-resource-name> Valid Users </web-resource-name> <url-pattern> /* </url-pattern> </web-resource-collection> <auth-constraint> <role-name>*</role-name> </auth-constraint> </security-constraint> <security-constraint> <web-resource-collection> <web-resource-name> Site Admin </web-resource-name> <url-pattern> /admin/* </url-pattern> </web-resource-collection> <auth-constraint> <role-name>admin</role-name> </auth-constraint> </security-constraint> but where I am stuck is with the login config <login-config> <auth-method>BASIC</auth-method> <realm-name></realm-name> </login-config> Is realm name just some descriptive text to prompt the user with, or has it any other significance, and am I limited to only one user prompt for both security constraints? Finally, what does security role mean within there. ie do I need the following <security-role> <description>Site administrator</description> <role-name>admin</role-name> </security-role> and what does it acutally mean? -- Alan Chandler http://www.chandlerfamily.org.uk Open Source. It's the difference between trust and antitrust. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]