Return-Path: 
 <dev-return-41903-apmail-geronimo-dev-archive=geronimo.apache.org@geronimo.apache.org>
Delivered-To: apmail-geronimo-dev-archive@www.apache.org
Received: (qmail 86784 invoked from network); 27 Nov 2006 06:48:01 -0000
Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2)
  by minotaur.apache.org with SMTP; 27 Nov 2006 06:48:01 -0000
Received: (qmail 22809 invoked by uid 500); 27 Nov 2006 06:48:01 -0000
Delivered-To: apmail-geronimo-dev-archive@geronimo.apache.org
Received: (qmail 22763 invoked by uid 500); 27 Nov 2006 06:48:00 -0000
Mailing-List: contact dev-help@geronimo.apache.org; run by ezmlm
Precedence: bulk
list-help: <mailto:dev-help@geronimo.apache.org>
list-unsubscribe: <mailto:dev-unsubscribe@geronimo.apache.org>
List-Post: <mailto:dev@geronimo.apache.org>
Reply-To: dev@geronimo.apache.org
List-Id: <dev.geronimo.apache.org>
Delivered-To: mailing list dev@geronimo.apache.org
Received: (qmail 22718 invoked by uid 99); 27 Nov 2006 06:48:00 -0000
Received: from herse.apache.org (HELO herse.apache.org) (140.211.11.133)
    by apache.org (qpsmtpd/0.29) with ESMTP; Sun, 26 Nov 2006 22:48:00 -0800
X-ASF-Spam-Status: No, hits=0.0 required=10.0
	tests=
X-Spam-Check-By: apache.org
Received: from [140.211.11.4] (HELO brutus.apache.org) (140.211.11.4)
    by apache.org (qpsmtpd/0.29) with ESMTP; Sun, 26 Nov 2006 22:47:49 -0800
Received: from brutus (localhost [127.0.0.1])
	by brutus.apache.org (Postfix) with ESMTP id BB3B97142F8
	for <dev@geronimo.apache.org>; Sun, 26 Nov 2006 22:47:23 -0800 (PST)
Message-ID: <6794170.1164610043764.JavaMail.jira@brutus>
Date: Sun, 26 Nov 2006 22:47:23 -0800 (PST)
From: "Vamsavardhana Reddy (JIRA)" <jira@apache.org>
To: dev@geronimo.apache.org
Subject: [jira] Closed: (GERONIMO-2295) Web app security constraint ignored
 if url-pattern doesn't match servlet mapping exactly
In-Reply-To: <22555206.1154999353865.JavaMail.jira@brutus>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
X-Virus-Checked: Checked by ClamAV on apache.org

     [ http://issues.apache.org/jira/browse/GERONIMO-2295?page=all ]

Vamsavardhana Reddy closed GERONIMO-2295.
-----------------------------------------


> Web app security constraint ignored if url-pattern doesn't match servlet mapping exactly
> ----------------------------------------------------------------------------------------
>
>                 Key: GERONIMO-2295
>                 URL: http://issues.apache.org/jira/browse/GERONIMO-2295
>             Project: Geronimo
>          Issue Type: Bug
>      Security Level: public(Regular issues) 
>          Components: web, security
>    Affects Versions: 1.1
>            Reporter: Aaron Mulder
>         Assigned To: Alan Cabrera
>            Priority: Blocker
>             Fix For: 1.1.1, 1.2
>
>         Attachments: SecurityTest.war
>
>
> If you have the following in your web.xml:
> {noformat}
>     <servlet-mapping>
>         <servlet-name>SecureServlet</servlet-name>
>         <url-pattern>/secure/*</url-pattern>
>     </servlet-mapping>
>     <login-config>
>       ...
>     </login-config>
>     <security-constraint>
>         <web-resource-collection>
>             <web-resource-name>Security Test</web-resource-name>
>             <url-pattern>/secure/adminonly</url-pattern>
>             <http-method>GET</http-method>
>             <http-method>POST</http-method>
>             <http-method>PUT</http-method>
>         </web-resource-collection>
>         <auth-constraint>
>             <role-name>administrator</role-name>
>         </auth-constraint>
>     </security-constraint>
> {noformat}
> Then the page /secure/adminonly is in fact completely unprotected -- a user who's not logged in can see it!

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira