On Sat, Oct 15, 2011 at 11:49 AM, Brian Burch <br...@pingtoo.com> wrote:
> On 15/10/11 14:47, Yogesh Shankarappa wrote: > >> Thanks for your response. I tried your suggestion, unfortunately it did >> not >> work. >> There must be a solution for this as most web applications have both >> public >> and >> protected URLs. >> >> >>>> *public URLs* >>>> <security-constraint> >>>> <web-resource-collection> >>>> <web-resource-name>**Unprotected</web-resource-**name> >>>> <url-pattern>/public/welcome.**html</url-pattern> >>>> </web-resource-collection> >>>> </security-constraint> >>>> >>>> >>>> Thanks in advance. >>>> >>>> >>>> Thanks >>>> Yogesh >>>> >>>> >>> >>> Try to do like this for public urls Put an empty auth-constraint Tag >>> >>> *public URLs* >>>> <security-constraint> >>>> <web-resource-collection> >>>> <web-resource-name>**Unprotected</web-resource-**name> >>>> <url-pattern>/public/welcome.**html</url-pattern> >>>> </web-resource-collection> >>>> <auth-constraint /> >>>> </security-constraint> >>>> >>>> >>>> >>> >>> Reference:- http://java.dzone.com/**articles/understanding-web-** >>> security <http://java.dzone.com/articles/understanding-web-security> >>> >>> ------------------------------**------------------------------** >>> --------- >>> >> >> > Here is an extract from a web.xml that does what you want... it is the > presence of a security constraint WITHOUT an auth constraint AT ALL that > denotes public, unauthenticated access. > > (Note... don't forget to permit access to the webapp base url if you have > turned off directory browsing and you want the default servlet to redirect > to your welcome page). > > <security-constraint> > <display-name>Free Access</display-name> > <web-resource-collection> > <web-resource-name>unauthed users can GET only</web-resource-name> > <!-- Define the context-relative URLs to be unprotected --> > <!-- must unprotect base url to permit redirect to welcome! --> > <url-pattern>/</url-pattern> > <url-pattern>/myAccessControl.**html</url-pattern> > <url-pattern>/myError.jsp</**url-pattern> > <http-method>GET</http-method> > </web-resource-collection> > <!-- absence of <auth-constraint> means anyone at all can access this > area --> > <user-data-constraint> > <transport-guarantee>**CONFIDENTIAL</transport-**guarantee> > </user-data-constraint> > </security-constraint> > > <security-constraint> > <display-name>Restricted Access</display-name> > <web-resource-collection> > <web-resource-name>Protected web application</web-resource-**name> > <!-- Define the context-relative URL(s) to be protected --> > <url-pattern>/*</url-pattern> > <!-- no list of http methods, so ALL methods are protected --> > </web-resource-collection> > <auth-constraint> > <!-- Only someone authenticated with one of these roles can access > this area --> > <role-name>manager</role-name> > <role-name>family</role-name> > </auth-constraint> > </security-constraint> > > Hope this sorts out your problem - when I had something similar it drove me > nuts reading the servlet specs and the tomcat docs to work out exactly how > to do it. > > Brian > > Thanks for your help, Brian. It worked !!! Yogesh
