Multiple security realms

Question

I tried having multiple security realms in my application, but I get exception during deployment:

Message: Multiple login-config elements detected

web.xml fragment:

....
<security-constraint>
    <display-name>Admin Constraint</display-name>
    <web-resource-collection>
        <web-resource-name>Admin Pages</web-resource-name>
        <description/>
        <url-pattern>/admin/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
        <description/>
        <role-name>admin</role-name>
    </auth-constraint>
</security-constraint>
<login-config>
    <auth-method>BASIC</auth-method>
    <realm-name>ApplicationRealm</realm-name>
</login-config>
<login-config>
    <auth-method>FORM</auth-method>
    <realm-name>mb-domain</realm-name>
</login-config>
<security-role>
    <description/>
    <role-name>admin</role-name>
</security-role>
<security-role>
    <description/>
    <role-name>user</role-name>
</security-role>
...

What am I doing wrong?

Answer 1

Only one <login-config> can be used per web module deployment descriptor.

According to §14.2 of the Servlet Specification v. 3.1:

Rules for Processing the Deployment Descriptor

[...]

• The sub elements under web-app can be in an arbitrary order in this version of the specification. Because of the restriction of XML Schema, The multiplicity of the elements distributable, session-config, welcome-file-list, jsp-config, login-config, and locale-encoding-mapping-list was changed from “optional” to “0 or more”. The containers must inform the developer with a descriptive error message when the deployment descriptor contains more than one element of session-config, jsp-config, and login-config.

Alternatives:

• Use programmatic authentication (based on either JASPIC or whatever facilities your Java EE / Servlet implementation offers).
• Use EAR packaging (if a single authentication strategy per module is acceptable).
• Drop container-managed authentication.