geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Aaron Mulder (JIRA)" <...@geronimo.apache.org>
Subject [jira] Created: (GERONIMO-2295) Web app security constraint ignored if url-pattern doesn't match servlet mapping exactly
Date Tue, 08 Aug 2006 01:09:13 GMT
Web app security constraint ignored if url-pattern doesn't match servlet mapping exactly
----------------------------------------------------------------------------------------

                 Key: GERONIMO-2295
                 URL: http://issues.apache.org/jira/browse/GERONIMO-2295
             Project: Geronimo
          Issue Type: Bug
      Security Level: public (Regular issues)
          Components: security, web
    Affects Versions: 1.1
            Reporter: Aaron Mulder
            Priority: Blocker
             Fix For: 1.1.1


If you have the following in your web.xml:
{noformat}
    <servlet-mapping>
        <servlet-name>SecureServlet</servlet-name>
        <url-pattern>/secure/*</url-pattern>
    </servlet-mapping>
    <login-config>
      ...
    </login-config>
    <security-constraint>
        <web-resource-collection>
            <web-resource-name>Security Test</web-resource-name>
            <url-pattern>/secure/adminonly</url-pattern>
            <http-method>GET</http-method>
            <http-method>POST</http-method>
            <http-method>PUT</http-method>
        </web-resource-collection>
        <auth-constraint>
            <role-name>administrator</role-name>
        </auth-constraint>
    </security-constraint>
{noformat}
Then the page /secure/adminonly is in fact completely unprotected -- a user who's not logged
in can see it!

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

Mime
View raw message