struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Adam Hardy <>
Subject Re: Slightly OT: web security-constraints
Date Sat, 07 May 2005 19:21:38 GMT
On 06/05/05 20:52&nbsp;Vinicius Caldeira Carvalho wrote:
>      <auth-constraint>
>        <description>usuarios permitidos</description>
>        <role-name>Administrador</role-name>
>      </auth-constraint>
> Which prevents the user to access resources without being authenticated. 
> Is it possoble to create a pattern to exclude some of them? Like 
> login/*.do would not require the user being authenticated to be accessed?

It prevents anyone who is not an administrator from accessing any URLs 
with *.do. It would combine with your login & error pages, which you 
also specify here. It forces a login. This is container-managed security.

Presumably you have lots of html pages and possibly some struts actions 
that are mapped to a different URL pattern?

The fact that you mention 'login/*.do' suggests that you don't want to 
use container-managed security, rather you want to do it in your app 
yourself? In that case you wouldn't use security constraints in your 

struts 1.2 + tomcat 5.0.19 + java 1.4.2
Linux 2.4.20 Debian

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message