<tomcat-users> <user name="tomcat" password="tomcat" roles="tomcat" /> <user name="role1" password="tomcat" roles="role1" /> <user name="both" password="tomcat" roles="tomcat,role1" /> <user name="john" password="jjj" roles="employee" /> <user name="mary" password="mmm" roles="employee" /> <user name="bob" password="bbb" roles="employee, supervisor" /> </tomcat-users>
The following is the web.xml snippet showing the security constraint that allows only a supervisor to send a POST request:
<security-constraint> <web-resource-collection> <web-resource-name>declarativetest</web-resource-name> <url-pattern>/servlet/DeclarativeSecureServlet</url-pattern> <http-method>POST</http-method> </web-resource-collection> <auth-constraint> <role-name>supervisor</role-name> </auth-constraint> <user-data-constraint> <transport-guarantee>NONE</transport-guarantee> </user-data-constraint> </security-constraint>To make a POST request, submit the form present on this page.