Hello
I have a problem with defining <auth-constraint> in the web.xml of my java
project. I defined sereval user roles, which have access to sereval
<url-pattern>. Here is a part of the xml, in which I define patterns, that can
be acessed by every role.
<security-constraint>
<web-resource-collection>
<web-resource-name>Webservice for
everyone</web-resource-name>
<url-pattern>/push</url-pattern>
<url-pattern>/rest/version/*</url-pattern>
<url-pattern>/rest/lizenz/*</url-pattern>
<url-pattern>/rest/device</url-pattern>
<url-pattern>/rest/device/*</url-pattern>
<url-pattern>/rest/eventlog/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>role 1</role-name>
<role-name>role 2</role-name>
<role-name>role 3</role-name>
</auth-constraint>
</security-constraint>
Until here, all works fine. Now I want to be sure, not to make any mistake,
when I add a new url, so I need to refuse access by default to any other url.
This is the code, how I make it.
<security-constraint>
<web-resource-collection>
<web-resource-name>Everything forbidden</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint />
</security-constraint>
Now I got a strange problem. I can access any url with /rest/device/* without
any problem. When I try to access /rest/device I get the error 403 forbidden.
On /rest/device/* I'm using GET and on /rest/device I'm using POST. Did
someone had any similar problem? I'm using Tomcat 7.0
Thanks in advance:
Michael
