Mark Thomas wrote:
On 04/03/2013 21:47, Chris Fors wrote:
Could you please expand on what constraints you were referring to
Security constraints in web.xml
and how they are best implemented, where, and in what syntax e.g. if
implemented in web.xml what are the correct tags.
All defined in the Servlet spec.
If implemented in web.xml what are the correct tags. I have not found this
clarified anywhere, yet.
Again, see the servlet spec.
You will find an example in the "manager" webapp that comes with Tomcat.
Look at (tomcat)/webapps/manager/WEB-INF/web.xml, parts like this :
<security-constraint>
<web-resource-collection>
<web-resource-name>HTML Manager interface (for humans)</web-resource-name>
<url-pattern>/html/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>manager-gui</role-name>
</auth-constraint>
</security-constraint>
In not-quite-technical terms :
The above, present at the level of the webapp, specifies a "role" which the authenticated
user must have, in order to be able to access this part of the webapp.
To determine if the user has that role, Tomcat must first know the user. This is what
"triggers" the authentication mechanism.
If nothing forces Tomcat to authenticate the user of this webapp, the authentication
method may well be specified, but it will not be invoked.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
