Tomcat 7 - Multiple security-constraints not working

Question

Running Tomcat 7, I am trying to configure the /conf/web.xml on the Tomcat server to secure some URLs with basic authentication and to provide some other URLs for public access.

The tomcat-users.xml contains following role and user:

<role rolename="test-ui"/>
<user username="paul" password="password" roles="test-ui"/>

I have added the following section to Tomcats /conf/web.xml

<security-constraint>
   <web-resource-collection>
     <web-resource-name>Public access</web-resource-name>
     <url-pattern>/docs/*</url-pattern>
   </web-resource-collection>
</security-constraint>

<security-constraint>
    <web-resource-collection>
        <web-resource-name>Protected access</web-resource-name>
        <url-pattern>/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
        <role-name>test-ui</role-name>
    </auth-constraint>
</security-constraint>

<security-role>
    <description>Protected access</description>
    <role-name>test-ui</role-name>
</security-role>

<login-config>
    <auth-method>BASIC</auth-method>
</login-config>

So there are two 'security-constraint' elements, the public one does not contain the 'auth-constraint', which actually should mean, there is no authentication necessary.

When I open the URL http://localhost:8080

Tomcat asks for authentication. This is fine, however when I open the URL http://localhost:8080/docs/

Tomcat also asks for authentication and for my understanding this is configured as a "non secure" URL - so public acccess, but it does not behave like this.

What did I wrong in the configuration or is this scenario not supposed to work like this?

Thanks. Paul

Answer 1

If an security-constraint does not exists, the Container MUST allow unauthenticated access for these URL. security-constraint is optional.

Answer 2

You need the <auth-constraint> node in the <security-constraint>, even it is empty e.g. <auth-constraint/>