You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@struts.apache.org by Vinicius Caldeira Carvalho <vi...@squadra.com.br> on 2005/05/06 21:52:15 UTC
Slightly OT: web security-constraints
I was wondering... I have this configuration on my web.xml:
<security-constraint>
<web-resource-collection>
<web-resource-name>Actions</web-resource-name>
<description>Actions</description>
<url-pattern>*.do</url-pattern>
<http-method>POST</http-method>
<http-method>GET</http-method>
</web-resource-collection>
<auth-constraint>
<description>usuarios permitidos</description>
<role-name>Administrador</role-name>
</auth-constraint>
<user-data-constraint>
<description>Encryption is not required for the application in
general. </description>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
Which prevents the user to access resources without being authenticated.
Is it possoble to create a pattern to exclude some of them? Like
login/*.do would not require the user being authenticated to be accessed?
Thanks a lot
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: Slightly OT: web security-constraints
Posted by Adam Hardy <ah...@cyberspaceroad.com>.
On 06/05/05 20:52 Vinicius Caldeira Carvalho wrote:
> <auth-constraint>
> <description>usuarios permitidos</description>
> <role-name>Administrador</role-name>
> </auth-constraint>
>
> Which prevents the user to access resources without being authenticated.
> Is it possoble to create a pattern to exclude some of them? Like
> login/*.do would not require the user being authenticated to be accessed?
It prevents anyone who is not an administrator from accessing any URLs
with *.do. It would combine with your login & error pages, which you
also specify here. It forces a login. This is container-managed security.
Presumably you have lots of html pages and possibly some struts actions
that are mapped to a different URL pattern?
The fact that you mention 'login/*.do' suggests that you don't want to
use container-managed security, rather you want to do it in your app
yourself? In that case you wouldn't use security constraints in your
web.xml.
Adam
--
struts 1.2 + tomcat 5.0.19 + java 1.4.2
Linux 2.4.20 Debian
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org