Return-Path: 
 <dev-return-42502-apmail-geronimo-dev-archive=geronimo.apache.org@geronimo.apache.org>
Delivered-To: apmail-geronimo-dev-archive@www.apache.org
Received: (qmail 36229 invoked from network); 7 Dec 2006 12:21:47 -0000
Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2)
  by minotaur.apache.org with SMTP; 7 Dec 2006 12:21:47 -0000
Received: (qmail 78782 invoked by uid 500); 7 Dec 2006 12:21:52 -0000
Delivered-To: apmail-geronimo-dev-archive@geronimo.apache.org
Received: (qmail 78742 invoked by uid 500); 7 Dec 2006 12:21:52 -0000
Mailing-List: contact dev-help@geronimo.apache.org; run by ezmlm
Precedence: bulk
list-help: <mailto:dev-help@geronimo.apache.org>
list-unsubscribe: <mailto:dev-unsubscribe@geronimo.apache.org>
List-Post: <mailto:dev@geronimo.apache.org>
Reply-To: dev@geronimo.apache.org
List-Id: <dev.geronimo.apache.org>
Delivered-To: mailing list dev@geronimo.apache.org
Received: (qmail 78731 invoked by uid 99); 7 Dec 2006 12:21:52 -0000
Received: from herse.apache.org (HELO herse.apache.org) (140.211.11.133)
    by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 07 Dec 2006 04:21:52 -0800
X-ASF-Spam-Status: No, hits=0.0 required=10.0
	tests=
X-Spam-Check-By: apache.org
Received: from [140.211.11.4] (HELO brutus.apache.org) (140.211.11.4)
    by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 07 Dec 2006 04:21:43 -0800
Received: from brutus (localhost [127.0.0.1])
	by brutus.apache.org (Postfix) with ESMTP id 7440C7142D7
	for <dev@geronimo.apache.org>; Thu,  7 Dec 2006 04:21:23 -0800 (PST)
Message-ID: <19631233.1165494083473.JavaMail.jira@brutus>
Date: Thu, 7 Dec 2006 04:21:23 -0800 (PST)
From: "Vamsavardhana Reddy (JIRA)" <jira@apache.org>
To: dev@geronimo.apache.org
Subject: [jira] Updated: (GERONIMO-2339) Empty auth-constraint tag in web
 app security-constraint does not prevent access to resource
In-Reply-To: <12979822.1156240158805.JavaMail.jira@brutus>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
X-Virus-Checked: Checked by ClamAV on apache.org

     [ http://issues.apache.org/jira/browse/GERONIMO-2339?page=all ]

Vamsavardhana Reddy updated GERONIMO-2339:
------------------------------------------

    Fix Version/s: 2.0

> Empty auth-constraint tag in web app security-constraint does not prevent access to resource
> --------------------------------------------------------------------------------------------
>
>                 Key: GERONIMO-2339
>                 URL: http://issues.apache.org/jira/browse/GERONIMO-2339
>             Project: Geronimo
>          Issue Type: Bug
>      Security Level: public(Regular issues) 
>          Components: security, Tomcat
>    Affects Versions: 1.1.1
>         Environment: Geronimo Tomcat 1.1.1
>            Reporter: Vamsavardhana Reddy
>             Fix For: 1.2, 1.1.2, 2.0
>
>         Attachments: g2339.war
>
>
> I have the following security constraint in web.xml
>     <security-constraint>
>       <web-resource-collection>
>         <web-resource-name>No Access</web-resource-name>
>         <url-pattern>/forbidden/*</url-pattern>
>       </web-resource-collection>
>       <auth-constraint/>
>     </security-constraint>
> This means /forbidden/* is not accessible by any user.  The permission woks fine if the application is deployed in Geronimo Jetty distribution.
> If the application is deployed in Geronimo Tomcat distribution, URLs /forbidden/* are accessible by all users. 

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira