You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by "Colic, Alex" <al...@rbc.com> on 2002/08/30 16:23:38 UTC
How to set up a security constraint?

Hi,

I have a web site with the following directory structure:

root/admin/sysop.

I only want certain people to have access to the admin section and only
other people to have access to the sysop section.

I have created two users in the  tomcat-users.xml file:

  <role rolename="sysop"/>
  <role rolename="admin"/>
  <user username="admin" password="test1" roles="admin"/>
  <user username="sysop" password="test2" roles="sysop"/>

In the server.xml file I have uncommented the:

<Realm className="org.apache.catalina.realm.MemoryRealm" /> line.

Then in the web.xml file I have added the following:

  <security-constraint>
    <web-resource-collection>
        <web-resource-name>Admin Pages</web-resource-name>
        <url-pattern>/admin</url-pattern>
     </web-resource-collection>
    <auth-constraint>
        <role-name>admin</role-name>
    </auth-constraint>
   </security-constraint>

  <security-constraint>
    <web-resource-collection>
        <web-resource-name>Sysop Pages</web-resource-name>
        <url-pattern>/admin/sysop/*</url-pattern>
     </web-resource-collection>
    <auth-constraint>
        <role-name>sysop</role-name>
    </auth-constraint>
   </security-constraint>

   <login-config>
    <auth-method>BASIC</auth-method>
    <realm-name>Admin Pages</realm-name>
   </login-config>

   <login-config>
    <auth-method>BASIC</auth-method>
    <realm-name>Sysop Pages</realm-name>
   </login-config>

This is where my problem is. User admin and sysop can access both the admin
and the sysop sections. I must have set the security constraint incorrect.
Can someone please point out what is wrong.

Thanks

Alex


----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
This e-mail may be privileged and/or confidential, and the sender does not waive any related rights and obligations. Any distribution, use or copying of this e-mail or the information it contains by other than an intended recipient is unauthorized. If you received this e-mail in error, please advise me (by return e-mail or otherwise) immediately. 

Ce courriel est confidentiel et protégé. L'expéditeur ne renonce pas aux droits et obligations qui s'y rapportent. Toute diffusion, utilisation ou copie de ce message ou des renseignements qu'il contient par une personne autre que le (les) destinataire(s) désigné(s) est interdite. Si vous recevez ce courriel par erreur, veuillez m'en aviser immédiatement, par retour de courriel ou par un autre moyen. 


==============================================================================