Hi tomcat users,
I am using Tomcat 6.0.20 and have successfully implemented a lockout realm
with nested JDBCRealm and JNDIRealm. The security constraint has also been
setup in my application WEB-INF/web.xml file:
<auth-constraint>
<!-- Anyone with one of the listed roles may access this area -->
<role-name>*</role-name>
</auth-constraint>
User is now authenticated via JDBCRealm followed by JNDIRealm and would be
able to access protected pages with any role.
The question I have is how can I deny a group of users with a particular
role to all protected pages even if they can provide correct combination of
username/password?
Would it also be possible to change the behavior of the
combinedRealm/LockoutRealm such that if username is found in prior realm and
password is incorrect, then it skips the other realms? It only look into the
other realms if username is not found in prior realms.
Please advise. Appreciate it!
Regards,
Clement
