I want to secure my web app such that only the "admin" user can access all of the pages, but a special "test" user can access the status page.
Here is what I've tried:
In web.xml:
<security-constraint>
<web-resource-collection>
<web-resource-name>Everything else</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>admin</role-name>
</auth-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>Status page</web-resource-name>
<url-pattern>/status/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>test</role-name>
<role-name>admin</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method> <!-- Use http basic authentication -->
<realm-name>MyApp Realm</realm-name> <!-- users are defined in this realm -->
</login-config>
Unfortunately, when I tried to access the status page ( https://localhost:444/app-0.0.1-SNAPSHOT/hbr/status ) with the test user I get the following:
Problem accessing /app-0.0.1-SNAPSHOT/hbr/status. Reason:
!role
Any idea how I can fix this?
It turns out that the "status" page is not at the root of the app, but part of a subservice called "hbr" ("hbr" the only subservice, which is why I didn't notice). The following change to the second security-constraint causes the app to work as expected:
<security-constraint>
<web-resource-collection>
<web-resource-name>Status page</web-resource-name>
<url-pattern>hbr/status/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>test</role-name>
<role-name>admin</role-name>
</auth-constraint>
</security-constraint>
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.