tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Thomas <ma...@apache.org>
Subject Re: security constraints in tomcat 4.1.30
Date Fri, 03 Jun 2005 19:17:02 GMT
Angela Stempfel wrote:
> Hello all
> 
> I have a problem concerning Tomcat 4.1.30. In web.xml i defined several 
> security constraint. First of all I protected the whole application and 
> then I excluded the directories with images and css files. Furthermore I 
> defined some roles.

<snip>

> So my problem is that this works fine with Tomcat 5.0 but not with 
> Tomcat 4.1.30. If I go to the login page, the stylesheet and images are 
> not found when running the Application with version 4.1.30. Also the 
> Security Constraints are not working correctly, this means that a user 
> that hasn't the role "dslamConfig" is able to enter the following URL: 
> /DslamConfig/*
> 
> Has anyone some ideas?

You need to read section SRV.12.8 of both the servlet 2.3 spec and the 
servlet 2.4 spec. The way constraints are handled has changed. For example,
<spec-quote version="2.3">
If the authorization constraint defines no roles, no user is allowed 
access to the portion of the web application defined by the security
constraint.
</spec-quote>

compared to

<spec-quote version="2.4">
If no authorization constraint applies to a request, the container must 
accept the request without requiring user authentication.
</spec-quote>

There is a fair amount of ambiguity in this area of the 2.3 spec, which 
is why it changed so much in 2.4

You should also be aware of 
http://issues.apache.org/bugzilla/show_bug.cgi?id=15570

Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org


Mime
View raw message