2

I have 2 roles.

One is admin role that can see all pages. 

<security-constraint>
    <web-resource-collection>
        <web-resource-name>Admin Pages</web-resource-name>
        <url-pattern>/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
        <role-name>admin</role-name>
    </auth-constraint>
</security-constraint>

Other is it role that can see IT pages.

<security-constraint>
    <web-resource-collection>
        <web-resource-name>IT Pages</web-resource-name>
        <url-pattern>/it/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
        <role-name>it</role-name>
    </auth-constraint>
</security-constraint>

Here I have a page that admin and it must access, but only in case the user have both roles admin and it and not only one of them.

<security-constraint>
    <web-resource-collection>
        <web-resource-name>Admin and it Pages</web-resource-name>
        <url-pattern>/other/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
        <role-name>admin</role-name>
        <role-name>it</role-name>
    </auth-constraint>
</security-constraint>

But the actual behavior of previous <security-constraint> is that admin or it role can access this page.

How can I achieve to apply that user must be declared to the 2 roles admin and it in order to access this page and not only one of them?

BalusC
  • 1,082,665
  • 372
  • 3,610
  • 3,555
bob-cac
  • 1,272
  • 2
  • 17
  • 35

1 Answers1

3

This is not possible. Roles doesn't work that way. You seem to have the meaning of roles backwards. It's perhaps easier to think of roles as permissions.

Just create a new role.

BalusC
  • 1,082,665
  • 372
  • 3,610
  • 3,555
  • I know that its just creating a new role but i am trying to see if this thing can be applied in web.xml – bob-cac Apr 06 '16 at 06:08