views:

22

answers:

1

I want a certain role to be protected with a username/pw in some environments, but not require even a prompt in others. If i have an auth-constraint in a tomcat web.xml, can I create a user with the role needed that is 'anonymous' access?

A: 

in your tomcat-users.xml file (%TOMCAT_HOME%/conf) add in your 'anonymous' role there. Then you can use the auth-constraint to secure your application.

your tomcat-users.xml will look something like this (this is v5.5)

<?xml version='1.0' encoding='utf-8'?>
<tomcat-users>
  <role rolename="tomcat"/>
  <role rolename="role1"/>
  <role rolename="anonymous"/>
  <user username="tomcat" password="tomcat" roles="tomcat"/>
  <user username="role1" password="tomcat" roles="role1"/>
  <user username="myUser" password="myPassword" roles="anonymous"/>
</tomcat-users>

The user will then need to enter myUser/myPassword to access the application

Sean
sorry, i guess i worded my question poorly. I want the user to not get a prompt, but I still want to have the auth constraint so when I put the webapp in certain tomcats, it will have that role with users that are not anonymous.
yincrash
If I understand you correctly now, you have 1 application which you will want to put onto 2+ environments. lets call them Dev and Prod. In Dev, you don't care about the security constraints and will let anyone access the application. In Prod you will require certain credentials to access the application. Is this correct?
Sean