You are viewing a plain text version of this content. The canonical link for it is here.

Posted to user@struts.apache.org by Vinicius Caldeira Carvalho <vi...@squadra.com.br> on 2005/05/06 21:52:15 UTC

Slightly OT: web security-constraints

I was wondering... I have this configuration on my web.xml:

<security-constraint>
      <web-resource-collection>
          <web-resource-name>Actions</web-resource-name>
          <description>Actions</description>
          <url-pattern>*.do</url-pattern>
          <http-method>POST</http-method>
          <http-method>GET</http-method>
      </web-resource-collection>
      <auth-constraint>
        <description>usuarios permitidos</description>
        <role-name>Administrador</role-name>
      </auth-constraint>
      <user-data-constraint>
      <description>Encryption is not required for the application in 
general. </description>
      <transport-guarantee>NONE</transport-guarantee>
      </user-data-constraint>
</security-constraint>

Which prevents the user to access resources without being authenticated. 
Is it possoble to create a pattern to exclude some of them? Like 
login/*.do would not require the user being authenticated to be accessed?

Thanks a lot

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org

Re: Slightly OT: web security-constraints

Posted by Adam Hardy <ah...@cyberspaceroad.com>.

On 06/05/05 20:52&nbsp;Vinicius Caldeira Carvalho wrote:
>      <auth-constraint>
>        <description>usuarios permitidos</description>
>        <role-name>Administrador</role-name>
>      </auth-constraint>
> 
> Which prevents the user to access resources without being authenticated. 
> Is it possoble to create a pattern to exclude some of them? Like 
> login/*.do would not require the user being authenticated to be accessed?

It prevents anyone who is not an administrator from accessing any URLs 
with *.do. It would combine with your login & error pages, which you 
also specify here. It forces a login. This is container-managed security.

Presumably you have lots of html pages and possibly some struts actions 
that are mapped to a different URL pattern?

The fact that you mention 'login/*.do' suggests that you don't want to 
use container-managed security, rather you want to do it in your app 
yourself? In that case you wouldn't use security constraints in your 
web.xml.

Adam
-- 
struts 1.2 + tomcat 5.0.19 + java 1.4.2
Linux 2.4.20 Debian

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org