tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Bill Barker" <>
Subject [5] Authentication for Overlapping Constraints
Date Thu, 24 Jul 2003 04:39:00 GMT
Tomcat doesn't adhere to the (new) requirements in the 2.4 Servlet-Spec for
handling the case of Overlapping Constraints:
<spec-quote version="2.4 pfd3" section="12.8.1">
When a url-pattern and http-method pair occurs in multiple security
constraints, the
applicable constraints (on the pattern and method) are defined by combining
individual constraints.

I see two ways to address this, but can't pick a clear favorite (hence
asking for comments :).

1)  Add a method 'List getSecurityConstraints(HttpRequest req, Context ctx)'
to Realm, and have AuthenticatorBase loop through them.
2) Have RealmBase create it's own special SecurityConstraint that is the
intersection of all of the overlapping constraints, and leave
AuthenticatorBase alone.

Case 1 has the advantage of being relatively clean from a coding standpoint.
Case 2 would probably require adding a 'void intersect(SecurityContraint
sc)' method to the SecurityConstraint class to enable it to construct the
correct permissions (and this looks like it would be a non-trivial method to


View raw message