I've been learning webapps by making a webapp for the school where my wife works -- to manage assigning students to the rotating schedule of art periods throughout the year. Lots of fun and very good learning. I bought a Tomcat book, installed Tomcat 4.1.24, and have been writing html, jsp's, servlets, etc.
I've got a good deal of it working. Now I see that there will be areas of the app where it makes sense to restrict access to only those who have the roles -- the teacher who does the basic assignments work will have "manage" role, my wife who works in admissions will have "admin" access to the areas that allow students to be added to the database, general users will have access to areas where information is available but they can't change things. That sort of security planning.
I'm not worried about industrial strength security. It's a nice place, no big security worries with the students, it's not on the web, just the school's local network. So I plan to use Tomcat's BASIC auth, and I've tried to set it up in the tomcat-users.xml and the webapp's web.xml.
So I have 3 roles in tomcat-users.xml - user, manage, and admin. There would be a general user, named "user" with user role. That one could get in to the opening page, and to any other page not further restricted. The teacher would have "user" role to get in, and "manage" role to get to those pages that involve assignment tasks. My wife would have "user" to get in, and "admin" for admin stuff. A user would be blocked at the "secure" pages, but having logged in with both roles, the teacher and my wife would get them without further authentication.
<tomcat-users>
<role rolename="user"/>
<role rolename="manage"/>
<role rolename="admin"/>
<user username="user" password="userhat" roles="user"/>
<user username="hillary" password="managehat" roles="user,manage"/>
<user username="susan" password="adminhat" roles="user,admin"/>
</tomcat-users>
In the web.xml, I thought I could set up 2 different "security areas" in the web.xml, as a "proof of concept" exercise.
<security-constraint>
<display-name>Entry Level Security</display-name>
<web-resource-collection>
<web-resource-name>Open Pages</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>user</role-name>
</auth-constraint>
</security-constraint>
<security-constraint>
<display-name>Art Blocks Secure Pages</display-name>
<web-resource-collection>
<web-resource-name>Secure Pages</web-resource-name>
<url-pattern>/secure/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>admin</role-name>
<role-name>manage</role-name>
</auth-constraint>
</security-constraint>
However I find that the general user, after passing the BASIC authentication popup, gets the opening page, but then can get to the admin stuff without any further popups. I must be missing something.