jetty 8 web.xml: Allow low-privilege user to access just one page, admin user required for all others via security-constraints

Question

I want to secure my web app such that only the "admin" user can access all of the pages, but a special "test" user can access the status page.

Here is what I've tried:

In web.xml:

  <security-constraint>
    <web-resource-collection>
      <web-resource-name>Everything else</web-resource-name>
      <url-pattern>/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
      <role-name>admin</role-name>
    </auth-constraint>
  </security-constraint>

  <security-constraint>
    <web-resource-collection>
      <web-resource-name>Status page</web-resource-name>
      <url-pattern>/status/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
      <role-name>test</role-name>
      <role-name>admin</role-name>
    </auth-constraint>
  </security-constraint>

  <login-config>
    <auth-method>BASIC</auth-method>     <!-- Use http basic authentication -->
    <realm-name>MyApp Realm</realm-name>  <!-- users are defined in this realm -->
  </login-config>

Unfortunately, when I tried to access the status page ( https://localhost:444/app-0.0.1-SNAPSHOT/hbr/status ) with the test user I get the following:

Problem accessing /app-0.0.1-SNAPSHOT/hbr/status. Reason: 
     !role

Any idea how I can fix this?

Answer 1

It turns out that the "status" page is not at the root of the app, but part of a subservice called "hbr" ("hbr" the only subservice, which is why I didn't notice). The following change to the second security-constraint causes the app to work as expected:

  <security-constraint>
    <web-resource-collection>
      <web-resource-name>Status page</web-resource-name>
      <url-pattern>hbr/status/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
      <role-name>test</role-name>
      <role-name>admin</role-name>
    </auth-constraint>
  </security-constraint>