geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Vamsavardhana Reddy (JIRA)" <...@geronimo.apache.org>
Subject [jira] Created: (GERONIMO-2339) Empty auth-constraint tag in web app security-constraint does not prevent access to resource
Date Tue, 22 Aug 2006 09:49:18 GMT
Empty auth-constraint tag in web app security-constraint does not prevent access to resource
--------------------------------------------------------------------------------------------

                 Key: GERONIMO-2339
                 URL: http://issues.apache.org/jira/browse/GERONIMO-2339
             Project: Geronimo
          Issue Type: Bug
      Security Level: public (Regular issues)
          Components: security, Tomcat
    Affects Versions: 1.1.1
         Environment: Geronimo Tomcat 1.1.1
            Reporter: Vamsavardhana Reddy
             Fix For: 1.1.2, 1.2


I have the following security constraint in web.xml

    <security-constraint>
      <web-resource-collection>
        <web-resource-name>No Access</web-resource-name>
        <url-pattern>/forbidden/*</url-pattern>
      </web-resource-collection>
      <auth-constraint/>
    </security-constraint>

This means /forbidden/* is not accessible by any user.  The permission woks fine if the application
is deployed in Geronimo Jetty distribution.

If the application is deployed in Geronimo Tomcat distribution, URLs /forbidden/* are accessible
by all users. 

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

Mime
View raw message