[jboss-user] [Security & JAAS/JBoss] - Multiple security constraint for multiple roles

jadtn@laposte.net do-not-reply at jboss.com
Wed Nov 1 05:32:19 EST 2006 

Hi,
I have some paths on my web :
http://localhost:8080/administrator/  -> for admin only
http://localhost:8080/menberlogged/ -> for the menber
http://localhost:8080/pub/ ->every body


Il log the user with JAAS, but when i want to access secure page, i m redireect to login page.(administrator with role administrator or menberlogged with role member)

Is a mistake in my web.xml? 
Is it right to have 2 security-constraint ?
Thanks for your help

<security-domain>java:/jaas/mySite</security-domain>
<security-constraint>
	<web-resource-collection>
		<web-resource-name>ResourceAdministrator</web-resource-name>
			Declarative security tests	
				<url-pattern>/administrator/*</url-pattern>
				<http-method>HEAD</http-method>
				<http-method>GET</http-method>
				<http-method>POST</http-method>
				<http-method>PUT</http-method>
				<http-method>DELETE</http-method>
			</web-resource-collection>
			<auth-constraint>
				<role-name>administrator</role-name> 
			</auth-constraint>
			<user-data-constraint>
				no description
				<transport-guarantee>NONE</transport-guarantee>
			</user-data-constraint>
</security-constraint>


<security-constraint>
	<web-resource-collection>
		<web-resource-name>ResourceMember</web-resource-name>
			Declarative security tests	
				<url-pattern>/menberlogged/*</url-pattern>
				<http-method>HEAD</http-method>
				<http-method>GET</http-method>
				<http-method>POST</http-method>
				<http-method>PUT</http-method>
				<http-method>DELETE</http-method>
			</web-resource-collection>
			<auth-constraint>
				<role-name>member</role-name> 
			</auth-constraint>
			<user-data-constraint>
				no description
				<transport-guarantee>NONE</transport-guarantee>
			</user-data-constraint>
</security-constraint>


<security-role>
	Un membre
	<role-name>member</role-name>
</security-role>

<security-role>
	A les droits de valider in valider une annonce
	<role-name>administrator</role-name>
</security-role>


<login-config>
	<auth-method>FORM</auth-method>
	<realm-name>java:/jaas/mySite</realm-name><!-- lorizon est le nom dans server conf login config  -->
		<form-login-config>			
			<form-login-page>/index.jsp</form-login-page><!-- //path to login page-->
			<form-error-page>/index.jsp</form-error-page><!-- //path in case login fails -->		
		</form-login-config>
</login-config>

View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3982338#3982338

Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3982338

More information about the jboss-user mailing list