Per the Java Servlet Spec, you need to define the dude
role as a security role. To do this, add the <security-role>
element to your web.xml
, as shown below:
<servlet>
<!-- ... -->
<security-constraint>
<web-resource-collection>
<web-resource-name>Wildcard means whole app requires authentication</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>dude</role-name>
</auth-constraint>
<!-- ... -->
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
</login-config>
<security-role>
<role-name>dude</role-name>
</security-role>
This would allow GET
/POST
requests to any user having the dude
role.
I'll suggest you don't include the <http-method>
elements as they don't work as you might expect. Including this element for GET
and POST
means that the security constrain applies only to these two methods; any other method is allowed. Here is what the Servlet Spec says:
The sub-element web-resource-collection identifies a subset of the resources and HTTP methods on those resources within a Web application to which a security constraint applies.
See this reference for details.