geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jian Liao <norwaywo...@gmail.com>
Subject JACC permission check issue
Date Tue, 06 Dec 2005 11:10:50 GMT
Hi all,

I defined two security constraints in web.xml as following:

  <!-- Protect LogInRedirectory.jsp.  This will require a login when called
-->
  <security-constraint>
    <web-resource-collection>
      <web-resource-name>Login</web-resource-name>
      <url-pattern>/login/redirector</url-pattern>
    </web-resource-collection>
    <auth-constraint>
      <role-name>*</role-name>
    </auth-constraint>
  </security-constraint>

  <!--  securing the ManagerServlet -->
  <security-constraint>
    <web-resource-collection>
      <web-resource-name>Manager</web-resource-name>
      <url-pattern>/manager/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
      <role-name>admin</role-name>
    </auth-constraint>
  </security-constraint>

It will create a WebResourcePermission instance with
"/:/login/redirector:/manager/*" as its name and its URLPatternSpec
instance's pattern, this WebResourcePermission  instance will be contained
by PolicyConfigurationGeneric.unchecked .

After the successfully login, a sendRedirect("/login/redirector") occured.
A WebResourcePermission instance will be created like this: "new
WebResourcePermission(request)" in class: TomcatGeronimoRealm line 200. So
WebResourcePermission instance will use "/login/redirector" to construct its
URLPatternSpec, then URLPatternSpec constructor will initialize its "first"
member variable with "/login/redirector", is that what it expect? (See line:
45 - 46 in URLPatternSpec.java)

Finally, I will fail on line: 128, URLPatternSpec.java. Becuase the
URLPattern instance in qualifiers will match the "URLPatternSpec.first"
which construct above.

Could someone tell how should I config my security-constraint or is that a
bug?

- Jian Liao

Mime
View raw message