tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Nam T. Nguyen" <ThanhNam.Ngu...@borland.com>
Subject RE: Bug in Combining Authorization Constraints
Date Mon, 21 Nov 2005 09:27:03 GMT
Replying to my own post.

Sorry, the attachment mysteriously disappeared. Anyway, the important
part is here

<security-constraint>
	<web-resource-collection>
		<web-resource-name>Index 1</web-resource-name>
		<url-pattern>/index.jsp</url-pattern>
	</web-resource-collection>
	<auth-constraint>
		<role-name>*</role-name>
	</auth-constraint>
</security-constraint>
<security-constraint>
	<web-resource-collection>
		<web-resource-name>Index 2</web-resource-name>
		<url-pattern>/index.jsp</url-pattern>
	</web-resource-collection>
</security-constraint>

Cheers
Nam

--
Random humorous quote: The only problem with mornings is that they
happen too early in the day.


Subject: Bug in Combining Authorization Constraints

Hi

I have two <security-constraint> elements in my deployment descriptor.

One has auth-constraint <role-name>*</role-name>, and the other does not
have any <auth-constraint>. They both have a same <url-pattern>.

By SRV.12.8.1 Combining Constraints:

<quote>
A security constraints that does not contain an authorization constraint
shall combine with authorization constraints that name or imply roles to
allow unauthenticated access.
</quote>

Applying to the attached .war file, my interpretation of this is access
to /index.jsp is accepted. However, Tomcat 5.5.12 returns status code
401 (Authorization Required).

Cheers
Nam

--
Random humorous quote: Work is the greatest thing in the world, so save
some for tomorrow.


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message