-
1. Re: How do I restrict access to a webapp resource?
sildani Aug 30, 2002 4:29 PM (in response to sildani)After doing some research, I figured out how to use the secutiry-constraint element in web.xml to serve my particular purpose.
Secutiry constraint simply makes sure that before the declared resource is reached, the user is authenticated as belonging in a particular role. Therefore what I did was declare a role that I would intentionally never use and applied the contraints to that particular role. The result is those resources get restricted, albeit in an unnatural way.
Here is the final snippet of code used in my web.xml file:
<!-- Secutiry constraint on certain resources -->
<security-constraint>
<web-resource-collection>
<web-resource-name>Images</web-resource-name>
<url-pattern>/images</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<web-resource-collection>
<web-resource-name>Images</web-resource-name>
<url-pattern>/images/</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<web-resource-collection>
<web-resource-name>Attachments</web-resource-name>
<url-pattern>/attachments</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<web-resource-collection>
<web-resource-name>Attachments</web-resource-name>
<url-pattern>/attachments/</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<web-resource-collection>
<web-resource-name>Etc</web-resource-name>
<url-pattern>/etc</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<web-resource-collection>
<web-resource-name>Etc</web-resource-name>
<url-pattern>/etc/</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>neverauth</role-name>
</auth-constraint>
</security-constraint>
<security-role>
<role-name>neverauth</role-name>
</security-role>
If there is a problem with this way, please let me know your thoughts!