Hi all,
I am working on integration Jetspeed 2 with Geronimo(Tomcat container). I
have the following configuration in my j2 main
web.xml<http://svn.apache.org/repos/asf/portals/jetspeed-2/trunk/src/webapp/WEB-INF/web.xml>
.
- <#108c481dd70edd3d_> <security-constraint >
- <#108c481dd70edd3d_> <web-resource-collection>
<web-resource-name>Login </web-resource-name>
<url-pattern>/login/redirector </url-pattern>
</web-resource-collection>
- <#108c481dd70edd3d_> <auth-constraint>
<role-name>*</ role-name>
</auth-constraint>
</security-constraint >
But there is no role define in this web.xml.
Should it have a WebResourcePermission("/login/redirector",
"GET,POST,PUT,DELETE,HEAD,OPTIONS,TRACE") to be added to unchecked policy
statements?
I think this special case is equals to "A WebResourcePermission must be
added to the unchecked policy statements for each distinct url-pattern
occurring in the security-constraint elements that do not contain an
auth-constraint."
I did read jacc spec SRV. 3.1.3.1 and servlet 2.4 spec SRV.12.8 and found
nothing about this case(correct me if I am wrong). When I run this
configuration on Tomcat 5.5.12, everything is ok, Tomcat treat * as allRole
even there is no role defined in web.xml and hasResourcePermission() always
return true. But when I run this with Geronimo SVN head, it always return
false.
Any help would be appreciated!
- Jian Liao
|