Hi,
I am trying to secure my application using the JSR-250 Security Annotations.
I have a setup as follows:
A tomcat-users.xml file:
<tomcat-users>
<role rolename="role1"/>
<role rolename="role2"/>
<user username="user1" password="pass1" roles="role1"/>
<user username="user2" password="pass2" roles="role2"/>
</tomcat-users>
So I am deploying to Tomcat using the MemoryRealm as I defined in the
META-INF/context.xml:
<Realm className="org.apache.catalina.realm.MemoryRealm" debug="99"
pathname="<<<Full Path To tomcat-users.xml>>>"/>
web.xml:
<security-constraint>
<web-resource-collection>
<url-pattern>/resources/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
</login-config>
<security-role>
<role-name>role1</role-name>
</security-role>
<security-role>
<role-name>role2</role-name>
</security-role>
So I assume by this configuration that both role1 and role2 are allowed to
access /resources/* and further authorization will be done via the
Annotations Handling. (?)
And finally in one of my resources I have @RolesAllowed("role1").
The problem is that both users (so both roles) are able to access the
resource after authentication. However I only expect user1 to access to
resource.
Do I need any further configuration to make this work?
Thanks.
--
Ersin