-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Chuck,
Caldarale, Charles R wrote: |> From: Diogenes Gomes [mailto:[EMAIL PROTECTED] |> Subject: Re: Problem with protecting pages in Tomcat 5.5 |> |> Please, do you know how to define "any role"? | | I don't believe the servlet spec allows for such a weak constraint. You | may want to consider using programmatic authentication (as defined in | the servlet spec) rather than declarative. | | Take a look at: | http://sourceforge.net/projects/securityfilter | | Although the last update was in 2004, it's recently become active again | (thank you, Chris), and is much more flexible than what's allowed in the | spec. Yes, sf is a bit more flexible than Tomcat's built-in authentication and authorization. sf currently interprets the "*" role to mean "any authenticated user", much like TC 5.0 (erroneously) did. Technically, we should be checking against the list of defined roles, but we're not. I expect this to be "fixed" in a future version, but we will probably provide either a backward-compatibility setting to allow * to mean "i don't care at all" or make it easy to re-implement the algorithm yourself to get the same effect. Diogenes, what's the problem with simply defining all of your roles in the web.xml file? - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkeY1Y0ACgkQ9CaO5/Lv0PCIDgCfe9KQT7St7Usf7qanEU8XGGFT nDkAnjPSMAAZmzIQSaooClaGUZxybdFh =kW3r -----END PGP SIGNATURE----- --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]