struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Navjot Singh" <navjo...@net4india.net>
Subject RE: [OT] - Realm Security - How to set overlapping constraints?
Date Mon, 07 Jul 2003 05:20:05 GMT
Thanks Craig,

Reversing the order of constraints does work. I should have RTFM.

But now, there is another problem.
When "user" is authenticated once, and then i accessed a resource that needs
login to "admin". It simply throws 403.
Can't it throw LOGIN PAGE? I can replace the default 403 page with my LOGIN
page but i guess that wouldn't be the right solution.

If i move my role constraints to struts-config, think i can handle that in
my actions then. Am i right?

regards
Navjot Singh


|-----Original Message-----
|From: Craig R. McClanahan [mailto:craigmcc@apache.org]
|Sent: Saturday, July 05, 2003 11:37 PM
|To: Struts Users Mailing List
|Subject: Re: [OT] - Realm Security - How to set overlapping constraints?
|
|On Sat, 5 Jul 2003, Navjot Singh wrote:
|
|> Date: Sat, 5 Jul 2003 21:39:34 +0530
|> From: Navjot Singh <navjot.s@net4india.net>
|> Reply-To: Struts Users Mailing List <struts-user@jakarta.apache.org>
|> To: Struts Users Mailing List <struts-user@jakarta.apache.org>
|> Subject: [OT] - Realm Security - How to set overlapping constraints?
|>
|> hi,
|>
|> It may be quite simple but it's not working for me.
|>
|> I have a set of servlets
|> /myapp/p/ab.do
|> /myapp/p/groups.do
|> /myapp/p/contacts.do
|>
|> AND I want all of them to be accessible to roles "user" and "admin".
|>
|> There is 1 more servlet that MUST be accessible ONLY to "admin"
|> /myapp/p/status.do
|>
|> I am setting config like given below.
|> But still, "user" roles are being able to access status.do
|>
|> What am i doing wrong?
|>
|> thanks for any help
|> -navjot singh
|>
|> __My XML Declarations__
|>
|> <security-constraint>
|> 	<web-resource-collection>
|> 	  <web-resource-name>Protected</web-resource-name>
|> 	  <url-pattern>*.do</url-pattern>
|> 	  <http-method>GET</http-method>
|> 	  <http-method>POST</http-method>
|> 	</web-resource-collection>
|> 	<auth-constraint>
|> 	  <role-name>user</role-name>
|> 	  <role-name>admin</role-name>
|> 	</auth-constraint>
|> </security-constraint>
|
|The list of security roles inside an <auth-constraint> is an *or* list, so
|the container is doing exactly what you told it to do -- allow anyone with
|either "user" or "admin" to access all "*.do" URLs.
|
|>
|> <security-constraint>
|> 	<web-resource-collection>
|> 	  <web-resource-name>Show Status</web-resource-name>
|> 	  <url-pattern>/p/status.do</url-pattern>
|> 	  <http-method>GET</http-method>
|> 	  <http-method>POST</http-method>
|> 	</web-resource-collection>
|> 	<auth-constraint>
|> 	  <role-name>admin</role-name>
|> 	</auth-constraint>
|> </security-constraint>
|>
|
|The fact that this one is second means that it will never get used,
|because "/p/status.do" satisfies the matching pattern on the first test.
|Try reversing your constraints.
|
|Another alternative is to do some of the role-based protection on Struts
|actions in struts-config.xml instead, by using the "role" attribute on the
|<action> element.  That way, you can have just your first constraint above
|(the one matching "*.do") to force people to log on, and then do fine
|grained control at the Struts level.
|
|>   <security-role>
|> 	  <role-name>admin</role-name>
|>   </security-role>
|>
|>   <security-role>
|> 	  <role-name>user</role-name>
|>   </security-role>
|>
|
|Craig
|
|---------------------------------------------------------------------
|To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
|For additional commands, e-mail: struts-user-help@jakarta.apache.org
|
|


---------------------------------------------------------------------
To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: struts-user-help@jakarta.apache.org


Mime
View raw message