geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From David Jencks <>
Subject Re: A special case for Translating security-constraint Elements to WebResourcePermission
Date Sat, 14 Jan 2006 18:53:40 GMT

On Jan 13, 2006, at 8:18 AM, Jian Liao wrote:

> Hi all,
> I am working on integration Jetspeed 2 with Geronimo(Tomcat  
> container). I have the following configuration in my j2 main web.xml.
> -   <security-constraint >
> -     <web-resource-collection>
>         <web-resource-name>Login </web-resource-name>
>         <url-pattern>/login/redirector </url-pattern>
>    </web-resource-collection>
> -     <auth-constraint>
>          <role-name>*</ role-name>
>    </auth-constraint>
> </security-constraint >
> But there is no role define in this web.xml.
> Should it have a WebResourcePermission("/login/redirector",  
> "GET,POST,PUT,DELETE,HEAD,OPTIONS,TRACE") to be added to unchecked  
> policy statements?
> I think this special case is equals to "A WebResourcePermission  
> must be added to the unchecked policy statements for each distinct  
> url-pattern occurring in the security-constraint elements that do  
> not contain an auth-constraint."
> I did read jacc spec SRV. and servlet 2.4 spec SRV.12.8 and  
> found nothing about this case(correct me if I am wrong). When I run  
> this configuration on Tomcat 5.5.12, everything is ok, Tomcat treat  
> * as allRole even there is no role defined in web.xml and  
> hasResourcePermission() always return true. But when I run this  
> with Geronimo SVN head, it always return false.
> Any help would be appreciated!

I'm pretty sure our behavior is correct.  The paragraph previous to  
the one you quote says:

When an auth-constraint names the reserved role-name, "*", all of the  
patterns in the containing security-constraint must be combined with  
all of the roles defined in the web application.

Therefore, I think that if there are no roles defined in the web  
application, you have effectively made this an excluded resource.  I  
think if tomcat standalone has different behavior, it is wrong.

david jencks

> - Jian Liao

View raw message