You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Jill Stephenson <ji...@jabcreative.com> on 2001/04/10 00:10:09 UTC

Multiple protected areas

Hi,

I am trying to implement the following scenario without
success and would like to hear of anyones experience
with this ...  I am using Tomcat 3.2.1.

In its simplest form I have 2 pages, each protected by
their own role which has one user, ie.,
Page1.html requires role1 which user1 has
Page2.html requires role2 which user2 has.

The relevant section of my web.xml looks like 
  <login-config>
    <auth-method>FORM</auth-method>
    <realm-name>Secure</realm-name>
    <form-login-config>
      <form-login-page>/login/login.jsp</form-login-page>
      <form-error-page>/login/error.jsp</form-error-page>
    </form-login-config>
  </login-config>

  <security-constraint>
    <web-resource-collection>
       <web-resource-name>Area 1</web-resource-name>
       <url-pattern>/Page1.html</url-pattern>
    </web-resource-collection>
    <auth-constraint>
       <role-name>Role1</role-name>
    </auth-constraint>
  </security-constraint>

  <security-constraint>
    <web-resource-collection>
       <web-resource-name>Area 2</web-resource-name>
       <url-pattern>/Page2.html</url-pattern>
    </web-resource-collection>
    <auth-constraint>
       <role-name>Role2</role-name>
    </auth-constraint>
  </security-constraint>

I follow these steps
1. request Page1.html
2. I get presented with the login page and I login
   using user1 and get the requested page.
   As expected.
3. request Page2.html
4. I get presented with the error page as the current
   user (user1) does not have the required role (role2).
   As expected.
5. follow the link to the login page (the login and error
   pages are as copied from the security demo).
6. login using user2.  This fails!  Not as expected ...
   I can now only login as user1 and get Page1.html.

What seems to be happening is that by the time of the
final authentication is that the original requested
page and required role has been overwritten by the 
first page and role.  Hence I can never get to Page2.

I have heard that there is some problem with
invalidating sessions, is that what is happening here
or is my configuration incorrect?  Any help would be
appreciated.

----
Jill