geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jian Liao <norwaywo...@gmail.com>
Subject A special case for Translating security-constraint Elements to WebResourcePermission
Date Fri, 13 Jan 2006 16:18:49 GMT
Hi all,
I am working on integration Jetspeed 2 with Geronimo(Tomcat container). I
have the following configuration in my j2 main
web.xml<http://svn.apache.org/repos/asf/portals/jetspeed-2/trunk/src/webapp/WEB-INF/web.xml>
.

- <#108c481dd70edd3d_>   <security-constraint >
 - <#108c481dd70edd3d_>     <web-resource-collection>
         <web-resource-name>Login </web-resource-name>
         <url-pattern>/login/redirector </url-pattern>
   </web-resource-collection>
 - <#108c481dd70edd3d_>     <auth-constraint>
          <role-name>*</ role-name>
   </auth-constraint>
</security-constraint >

But there is no role define in this web.xml.

Should it have a WebResourcePermission("/login/redirector",
"GET,POST,PUT,DELETE,HEAD,OPTIONS,TRACE") to be added to unchecked policy
statements?
I think this special case is equals to "A WebResourcePermission must be
added to the unchecked policy statements for each distinct url-pattern
occurring in the security-constraint elements that do not contain an
auth-constraint."

I did read jacc spec SRV. 3.1.3.1 and servlet 2.4 spec SRV.12.8 and found
nothing about this case(correct me if I am wrong). When I run this
configuration on Tomcat 5.5.12, everything is ok, Tomcat treat * as allRole
even there is no role defined in web.xml and hasResourcePermission() always
return true. But when I run this with Geronimo SVN head, it always return
false.

Any help would be appreciated!

- Jian Liao

Mime
View raw message