The goal was to allow anyone to list or search swagItems but make them log in to add/edit/delete them. Here's the XML I had to add:
<security-constraint>
<web-resource-collection>
<url-pattern>/swag/delete/*</url-pattern>
<url-pattern>/swag/add/*</url-pattern>
<url-pattern>/swag/edit/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
</security-constraint>
The next step will be to save user profiles in the DB, save owner information when a SwagItem is uploaded, and only allow the owner to edit or delete his own items. Admins can do anything.
No comments:
Post a Comment